Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7 : Control and Accounting Information Systems - Coggle Diagram
Chapter 7 : Control and Accounting
Information Systems
Overview of Control Concepts
internal control
functions
Preventive controls
Detective controls
Corrective controls
category
General controls
Application controls
4 levers of cotrol
belief system
boundary system
diagnostic control system
interactive control system
important aspects of SOX
Public Company Accounting Oversight Board (PCAOB)
New rules for auditors
New roles for audit committees
New rules for management.
New internal control requirements.
Control Frameworks
COBIT FRAMEWORK
allows :
management to benchmark security and control practices of IT environments
users to be assured that adequate IT security and controls exist
auditors to substantiate their internal control opinions and to advise on IT security and control matters
key principles
Meeting stakeholder needs
. Covering the enterprise end-to-end
. Applying a single, integrated framework
Enabling a holistic approach
Separating governance from management.
COSO’S INTERNAL CONTROL FRAMEWORK
Control environment
Risk assessment
Control activities
Information and
communication
Monitoring
ERM
setting objectives
identifyng events
affect the company
The internal environment
Management’s philosophy, operating style, and risk appetite
The more responsible management’s philosophy and operating style, and the more clearly
they are communicated, the more likely employees will behave responsibly
Commitment to integrity, ethical values, and competence
Integrity starts at the top, as
company employees adopt top management attitudes about risks and controls
Internal control oversight by the board of directors
involved board of directors represents shareholders and provides an independent review of management that acts as a check and balance on its actions.
Organizational structure
provides a framework for planning, executing, controlling, and monitoring operations.
Methods of assigning authority and responsibility
important to identify who is responsible for the company’s information security policy
Human resources standards that attract, develop, and retain competent individuals
hiring
compensating,evaluating,promoting
training
managing disgruntled emplyees
discharging
vacations and rotations of duty
confidentiality agreements and fidelity bond insurance
prosecute and incarcerate perpetrators
External influences
requirements imposed by stock exchanges, the Financial Accounting Standards Board (FASB), the PCAOB, and the SEC.
Objective Setting and Event Identification
objective setting
Operations objectives
Reporting objectives
Compliance objectives
event identification
techniques
perform internal analysis
analyze business processes
using data mining
monitor leading events & trigger points
conducting workshop & interview
use comprehensive list of potential events
Risk Assessment and Risk Response
risk assessment
inherent risk
- The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
residual risk
- The risk that remains after management implements internal controls or some other response to risk
risk response
Estimate likelihood and impact
Identify controls
Estimate costs and benefits
Determine cost / benefit effectiveness
Implement control or accept, share, or avoid the risk
Control Activities
Segregation of duties
Segregation of accounting duties
Authorization—approving transactions and decisions
recording—preparing source documents; entering data into computer systems; and
maintaining journals, ledgers, files, or databases
Custody—handling cash, tools, inventory, or fixed assets; receiving incoming customer
checks; writing checks
Segregation of systems duties
Systems administration.
Network management.
Security management.
Change management
Users
Programming
Computer operations
Information system library
Data control
Project development and acquisition controls
steering committee
strategic master plan
project development plan
data processing schedule
. System performance measurements
postimplementation review
Change management controls
modify existing systems to reflect new business practices and to take advantage
of IT advancements
Design and use of documents and records
help ensure the accurate and complete recording of all relevant transaction data
Safeguard assets, records, and data
Create and enforce appropriate policies and procedures
Maintain accurate records of all assets
Restrict access to assets
Protect records and documents.
Independent checks on performance
Top-level reviews
Analytical reviews
Reconciliation of independently maintained records
Comparison of actual quantities with recorded amounts
Double-entry accounting.
Communicate Information and Monitor
Control Processes
Information and communication
Communication must occur internally and externally to provide information needed
to carry out day-to-day internal control activities
should capture and exchange the information needed to conduct, manage, and control the organization’s operations.
Monitoring
Perform internal control evaluations
Implement effective supervision
Use responsibility accounting systems
Monitor system activities
Track purchased software and mobile devices
Conduct periodic audits
Employ a computer security officer and a chief compliance officer
Engage forensic specialists
Install fraud detection software
implement a fraud hotline