Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 7- Control and Accounting Information Systems - Coggle Diagram
CHAPTER 7-
Control and Accounting
Information Systems
Introduction
WHY THREATS TO ACCOUNTING INFORMATION SYSTEMS ARE INCREASING
Information is available to an unprecedented number of workers
Information on distributed computer networks is hard to control
Customers and suppliers have access to each other’s systems and data
Organizations have not adequately protected data for several reasons:
● Some companies view the loss of crucial information as a distant, unlikely threat.
● The control implications of moving from centralized computer systems to Internet-based
systems are not fully understood.
● Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement
● Productivity and cost pressures motivate management to forgo time-consuming control
measures.
threat/event
- Any potential adverse occurrence or unwanted event that could injure the AIS or the organization.
exposure/impact
- The potential dollar loss should a particular threat become a reality.
likelihood/risk
- The probability that a threat will come to pass.
Control Frameworks
COBIT FRAMEWORK
Control Objectives for Information and Related Technology (COBIT) -
A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors to substantiate their internal control opinions and advise on IT security and control matters.
COBIT 5 is based on the following five key principles of IT governance and
management.
Meeting stakeholder needs.
COBIT 5 helps users customize business processes and procedures to create an information system that adds value to its stakeholders. It also allows the company to create the proper balance between risk and reward.
Covering the enterprise end-to-end.
COBIT 5 does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes.
Applying a single, integrated framework.
COBIT 5 can be aligned at a high level with other standards and frameworks so that an overarching framework for IT governance and management is created.
Enabling a holistic approach.
COBIT 5 provides a holistic approach that results in effective governance and management of all IT functions in the company.
Separating governance from management
. COBIT 5 distinguishes between governance and management.
COSO’S INTERNAL CONTROL FRAMEWORK
Committee of Sponsoring Organizations (COSO)
- A privatesector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
Internal Control—Integrated Framework (IC)
- A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.
COSO’S ENTERPRISE RISK MANAGEMENT FRAMEWORK
Enterprise Risk Management—Integrated Framework (ERM)
- A COSO framework that improves the risk management process by expanding (adds three additional elements) COSO’s Internal Control—Integrated.
The basic principles behind ERM are as follows:
● Companies are formed to create value for their owners
● Management must decide how much uncertainty it will accept as it creates value
● Uncertainty results in risk, which is the possibility that something negatively affects the company’s ability to create or preserve value.
● Uncertainty results in opportunity, which is the possibility that something positively affects the company’s ability to create or preserve value.
● The ERM framework can manage uncertainty as well as create and preserve value.
THE ENTERPRISE RISK MANAGEMENT FRAMEWORK VERSUS THE INTERNAL
CONTROL FRAMEWORK
The more comprehensive ERM framework takes a risk-based rather than a
controls-based approach.
ERM adds three additional elements to COSO’s IC framework:
-setting objectives
-identifying events that may affect the company
-developing a response to assessed risk.
The ERM model also recognizes that risk, in addition to being
-controlled,
-can be accepted,
-avoided,
-diversified,
-shared, or
transferred.
Overview of Control Concepts
internal controls
- The processes and procedures implemented to provide reasonable assurance that control objectives are met
Internal controls perform three important functions:
preventive controls
- Controls that deter problems before they arise.
detective controls
- Controls designed to discover control problems that were not prevented.
corrective controls
- Controls that identify and correct problems as well as correct and recover from the resulting errors
Internal controls are often segregated into two categories:
general controls
- Controls designed to make sure an organization’s information system and control environment is stable and well managed.
application controls
- Controls that prevent, detect, and correct transaction errors and fraud in application programs.
four levers of control to help
management reconcile the conflict between creativity and controls.
belief system
- System that describes how a company creates value, helps employees understand management’s vision, communicates company core values, and inspires employees to live by those values.
boundary system
- System that helps employees act ethically by setting boundaries on employee behavior.
diagnostic control system
- System that measures, monitors, and compares actual company progress to budgets and performance goals.
interactive control system
- System that helps managers to focus subordinates’ attention on key strategic issues and to be more involved in their decisions.
Foreign Corrupt Practices Act (FCPA)
Legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls.
Sarbanes–Oxley Act (SOX)
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud.
Public Company Accounting Oversight Board (PCAOB)
-A board created by SOX that regulates the auditing profession; created as part of SOX.
The Internal Environment
internal environment
- The company culture that is the foundation for all other ERM components, as it influences how organizations establish strategies and objectives; structure business activities; and identify, assess, and respond to risk.
MANAGEMENT’S PHILOSOPHY, OPERATING STYLE, AND RISK APPETITE
risk appetite
- The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.
COMMITMENT TO INTEGRITY, ETHICAL VALUES, AND COMPETENCE
endorse
integrity
by:
● Actively teaching and requiring it
● Avoiding unrealistic expectations or incentives that motivate dishonest or illegal acts
● Consistently rewarding honesty and giving verbal labels to honest and dishonest
behavior
● Developing a written code of conduct that explicitly describes honest and dishonest
behaviors
● Requiring employees to report dishonest or illegal acts and disciplining employees who
knowingly fail to report them
● Making a commitment to competence
INTERNAL CONTROL OVERSIGHT BY THE BOARD OF DIRECTORS
audit committee
- The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors.
ORGANIZATIONAL STRUCTURE
provides a framework for planning, executing, controlling, and monitoring operations include:
● Centralization or decentralization of authority
● A direct or matrix reporting relationship
● Organization by industry, product line, location, or marketing network
● How allocation of responsibility affects information requirements
● Organization of and lines of authority for accounting, auditing, and information system
functions
● Size and nature of company activities
METHODS OF ASSIGNING AUTHORITY AND RESPONSIBILITY
Authority and responsibility are
assigned and communicated using formal job descriptions, employee training, operating schedules, budgets, a code of conduct, and written policies and procedures
policy and procedures manual
- A document that explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties.
HUMAN RESOURCES STANDARDS THAT ATTRACT, DEVELOP, AND RETAIN
COMPETENT INDIVIDUALS
1.HIRING
background check
- An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.
2.COMPENSATING, EVALUATING, AND PROMOTING
3.TRAINING
4.MANAGING DISGRUNTLED EMPLOYEES
5.DISCHARGING
6.VACATIONS AND ROTATION OF DUTIES
7.CONFIDENTIALITY AGREEMENTS AND FIDELITY BOND INSURANCE
8.PROSECUTE AND INCARCERATE PERPETRATORS
Most fraud is not reported or prosecuted
for several reasons:
Companies are reluctant to report fraud because it can be a public relations disaster
Law enforcement and the courts are busy with violent crimes and have less time and interest for computer crimes in which no physical harm occurs.
Many law enforcement officials, lawyers, and judges lack the computer skills needed to
investigate and prosecute computer crimes.
Fraud sentences are often light
Fraud is difficult, costly, and time-consuming to investigate and prosecute
EXTERNAL INFLUENCES
include requirements imposed by stock exchanges, the Financial Accounting Standards Board (FASB), the PCAOB, and the SEC.
requirements
imposed by regulatory agencies, such as those for banks, utilities, and insurance companies.
Objective Setting and Event Identification
OBJECTIVE SETTING
strategic objectives
- High-level goals that are aligned with and support the company’s mission and create shareholder value
operations objectives
- Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources.
reporting objectives
- Objectives to help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.
compliance objectives
- Objectives to help the company comply with all applicable laws and
regulations.
EVENT IDENTIFICATION
Event
- A positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives.
Risk Assessment and Risk Response
inherent risk
- The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
residual risk
- The risk that remains after management implements internal controls or some other response to risk
Management can respond to risk in one of four ways:
●
Reduce.
Reduce the likelihood and impact of risk by implementing an effective system
of internal controls.
●
Accept.
Accept the likelihood and impact of the risk
●
Share.
Share risk or transfer it to someone else by buying insurance, outsourcing an activity, or entering into hedging transactions.
●
Avoid.
Avoid risk by not engaging in the activity that produces the risk. This may require
the company to sell a division, exit a product line, or not expand as anticipated.
ESTIMATE LIKELIHOOD AND IMPACT
Likelihood and impact must be considered together. As
either increases, both the materiality of the event and the need to protect against it rise.
IDENTIFY CONTROLS
When preventive controls fail, detective
controls are essential for discovering the problem
ESTIMATE COSTS AND BENEFITS
expected loss
- The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).
DETERMINE COST/BENEFIT EFFECTIVENESS
In evaluating internal controls, management must consider factors other than those in the
expected cost/benefit calculation.
IMPLEMENT CONTROL OR ACCEPT, SHARE, OR AVOID THE RISK
Risks not reduced must be accepted, shared, or avoided. Risk can be accepted if it is within the company’s risk tolerance range.
Control Activities
Policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out.
Control procedures fall into the following categories:
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
PROPER AUTHORIZATION OF TRANSACTIONS AND ACTIVITIES
Authorization
- Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record.
digital signature
- A means of electronically signing a document with data that cannot be forged.
specific authorization
- Special approval an employee needs in order to be allowed to handle a transaction.
general authorization
- The authorization given employees to handle routine transactions without special approval.
SEGREGATION OF DUTIES
SEGREGATION OF ACCOUNTING DUTIES
Separating the accounting functions of authorization, custody, and recording to minimize an employee’s ability to commit fraud.
SEGREGATION OF SYSTEMS DUTIES
Implementing control procedures to clearly divide authority and responsibility within the information system function.
Authority and responsibility
should be divided clearly among the following functions:
1.
systems administrator
- Person responsible for making sure a system operates smoothly and efficiently.
2.
network manager
- Person who ensures that the organization’s networks operate properly.
3.
security management
- People that make sure systems are secure and protected from internal and external threats.
4.
change management
- Process of making sure changes are made smoothly and efficiently and do not negatively affect the system.
5.
users
- People who record transactions, authorize data processing, and use system output.
6.
systems analysts
- People who help users determine their information needs and design systems to meet those needs.
7.
Programmers
- People who use the analysts’ design to create and test computer programs.
8.
computer operators
- People who operate the company’s computers.
9.
information system library
- Corporate databases, files, and programs stored and managed by the system librarian.
10.
data control group
- People who ensure that source data is approved, monitor the flow of work, reconcile input and output, handle input errors, and distribute systems output.
PROJECT DEVELOPMENT AND ACQUISITION CONTROLS
Important
systems development controls include the following:
A
steering committee
guides and oversees systems development and acquisition.
A
strategic master plan
is developed and updated yearly to align an organization’s information system with its business strategies. It shows the projects that must be completed, and it addresses the company’s hardware, software, personnel, and infrastructure requirements.
A
project development plan
shows the tasks to be performed, who will perform them, project costs, completion dates, and project milestones—significant points when progress is reviewed and actual and estimated completion times are compared. Each project is assigned to a manager and team who are responsible for its success or failure.
A
data processing schedule
shows when each task should be performed.
System performance measurements
are established to evaluate the system. Common measurements include throughput (output per unit of time), utilization (percentage of time the system is used), and response time (how long it takes for the system to respond).
A
postimplementation review
is performed after a development project is completed to
determine whether the anticipated benefits were achieved.
CHANGE MANAGEMENT CONTROLS
Organizations modify existing systems to reflect new business practices and to take advantage
of IT advancements.
DESIGN AND USE OF DOCUMENTS AND RECORDS
Their form and content should be as simple as possible, minimize errors, and facilitate review and verification. Documents that initiate a transaction should contain a space for authorizations
SAFEGUARD ASSETS, RECORDS, AND DATA
it is
important
to:
● Create and enforce appropriate policies and procedures.
● Maintain accurate records of all assets.
● Restrict access to assets
● Protect records and documents.
INDEPENDENT CHECKS ON PERFORMANCE
done by someone other than the person who performs
the original operation, help ensure that transactions are processed accurately
● Top-level reviews.
● Analytical reviews
● Reconciliation of independently maintained records.
● Comparison of actual quantities with recorded amounts.
● Double-entry accounting.
● Independent review.
Communicate Information and Monitor
Control Processes
INFORMATION AND COMMUNICATION
capture and exchange the information needed
to conduct, manage, and control the organization’s operations.
audit trail
- A path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin.
The primary purpose of an accounting information system (AIS) is to
gather, record, process, store, summarize, and communicate information
about an organization.
three
principles
apply:
Obtain or generate relevant, high-quality information to support internal control.
Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control.
Communicate relevant internal control matters to external parties.
MONITORING
PERFORM INTERNAL CONTROL EVALUATIONS
Internal control effectiveness is measured
using a formal or a self-assessment evaluation.
IMPLEMENT EFFECTIVE SUPERVISION
Effective supervision involves training and assisting employees, monitoring their performance, correcting errors, and overseeing employees who have access to assets
USE RESPONSIBILITY ACCOUNTING SYSTEMS
Responsibility - include budgets, quotas, schedules, standard costs, and quality standards; reports comparing actual and planned performance; and procedures for investigating and correcting significant variances.
MONITOR SYSTEM ACTIVITIES
Risk analysis and management software packages review computer and network security measures, detect illegal access, test for weaknesses and vulnerabilities, report weaknesses found, and suggest improvements
TRACK PURCHASED SOFTWARE AND MOBILE DEVICES
their loss could represent a substantial exposure. Items to track are the devices, who has them, what tasks they perform, the security features installed, and what software the company needs to maintain adequate system and network security.
CONDUCT PERIODIC AUDITS
Informing employees of audits helps resolve privacy issues, deters fraud, and reduces errors. Auditors should regularly test system controls and periodically browse system usage files looking for suspicious activities.
EMPLOY A COMPUTER SECURITY OFFICER AND A CHIEF COMPLIANCE OFFICER
computer security officer (CSO)
- An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.
chief compliance officer (CCO)
- An employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings.
ENGAGE FORENSIC SPECIALISTS
forensic investigators
- Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).
computer forensics specialists
- Computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges
INSTALL FRAUD DETECTION SOFTWARE
neural networks
- Computing systems that imitate the brain’s learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically
IMPLEMENT A FRAUD HOTLINE
fraud hotline
- A phone number employees can call to anonymously report fraud and abuse.