Please enable JavaScript.
Coggle requires JavaScript to display documents.
Control and Accounting Information Systems - Coggle Diagram
Control and Accounting Information Systems
Introduction
Reason for the failures
Information is available to an unprecedented number of workers
Information on distributed computer networks is hard to control
Customers and suppliers have access to each other's systems and data
Threat/event
Any potential adverse occurrence or unwanted event that could injure the AIS or the organization
Exposure/impact
The potential dollar loss should a particular threat become a reality
Likelihood/risk
The probability that a threat will come to pass
Overview of Control Concepts
Internal controls
The processes and procedures implemented to provide reasonable assurance that control objectives are met
Function
Preventive controls
Controls that deter problems before they arise
Detective controls
Controls designed to discover control problems that were not prevented
Corrective controls
Controls that identify and correct problems as well as correct as recover from the resulting errors
Two categories
General controls
Controls designed to make sure an organization's information systems and control environment is stable and well managed
Application controls
Controls that prevent, detect and correct transaction errors and fraud in application programs
Belief system
System that describes how a company creates value, helps employees understand management's vision, communicates company core values, and inspires employees to live by those values
Boundary system
System that helps employees act ethically by setting boundaries on employee behavior
Diagnostic control system
System that measures, monitors and compares actual company progress to budgets and performance goals
Interactive control system
System that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions
Foreign corrupt practices act (FCPA)
Legislation passed to prevent companies from bribing foreign officials to obtain business
Sarbanes-Oxley Act (SOX)
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetuate fraud
Public Company Accounting Oversight Board
New rules for auditors
New roles for audit committees
New rules for management
New internal control requirements
Control Frameworks
A security and control framework that allows management to benchmark the security and control practices of IT environments
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single, integrated framework
. Enabling a holistic approach
Separating governance from management
COSO
A private sector group consisting of the American Accounting Association, the AICPA, the institute of Internal Auditors, the institute of Management Accountants, and the Financial Executives Institute
IC
A COSO framework that defies internal controls and provides guidance for evaluating and enhancing internal control systems
ERM
A COSO framework that improves the risk management process by expanding COSO's Internal Control
The Internal Environment
The company culture that is the foundation for all other ERM components, as it influences how organizations establish strategies and objectives
Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by the board of directors
Organizational structure
. Methods of assigning authority and responsibility
Human resource standards that attract, develop, and retain competent individuals
External influences
Risk appetite
The amount of risk a willing of company to accept to achieve its goals and objectives
Audit committee
The outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control and hiring and overseeing internal and external auditors
Policy and procedures manual
A document that explains proper business practices, describes needed knowledge and experience
Background check
An investigation of a prospective or current employee that involves verifying their educational and work experience
Objective Setting and Event Identification
Strategic objectives
High-level goals that are aligned with and support the company's mission and create shareholder value
Operation objectives
Objectives that deal with the effectiveness and efficiency of company operations and determine how to allocate resources
Reporting objectives
Objectives to help assure the accuracy, completeness and reliability of company reports
Compliance objectives
Objectives to help the company to comply with all applicable laws and regulations
Event
A positive or negative incidence or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives
Risk Assessment and Risk Response
Inherent risk
The susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control
Residual risk
The risk that remains after management implements internal controls or some other response to risk
Management can respond to risk
Reduce
Accept
Share
Avoid
Estimate costs and benefits
Expected loss
The mathematical product of the potential dollar loss that would occur should a threat become a reality and the risk or probability that the threat will occur
Control Activities
Policies, procedures and rules that provide reasonable assurance that control objectives are met and risk responses are carried out
Control procedures
. Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
Proper Authorization Of Transactions And Activities
Authorization
Establishing policies for employees to follow and then empowering them to perform certain organizational functions
Digital signature
A means of electronically signing a document with data that cannot be forged
Specific authorization
Special approval an employee needs in order to be allowed to handle a transaction
General authorization
The authorization given employees to handle routine transactions without special approval
Segregation Of Accounting Duties
Separating the accounting functions of authorization, custody and recording to minimize an employee's ability to commit fraud
Authorization
Recording
Custody
Collusion
Cooperation between two or more people in an effort to thwart internal controls
Segregation Of Systems Duties
Implementing control procedures to clearly divide authority and responsibility within the information system function
Systems administration
Network management
Security management
Change management
Users
System analysis
Programming
Computer operations
Information system library
Data control
Important systems development
Steering committee
Strategic master plan
Project development plan
Project milestones
Data processing schedule
System performance measurement
throughput
utilization
response time
Postimplementation
systems integrator
Develop clear specifications
Monitor the project
Safeguard Assets, Records And Data
Create and enforce appropriate policies and procedures
Maintain accurate records of all assets
Restrict access to assets
Protect records and documents
Independent Checks On Performance
Top-level reviews
Analytical reviews
Reconciliation of independently maintained records
Comparison of actual quantities with recorded amounts
Double-entry accounting
Independent review
Communicate Information and Monitor Control Processes
Information and Communication
Audit trail
A path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin
Monitoring
Perform internal control evaluations
Implement effective supervision
Use responsibility accounting systems
Monitor system activities
Track purchased software and mobile devices
Conduct periodic audits
Employ a computer security officer and a chief compliance officer
Engage forensic specialists
Install fraud detection software
Implement a fraud hotline