Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 7 - CONTROL ACCOUNTING INFORMATION SYSTEMS - Coggle Diagram
CHAPTER 7 - CONTROL ACCOUNTING INFORMATION SYSTEMS
INTODUCTION - WHY THREATS TO ACCOUNTING INFORMATION SYSTEMS ARE INCREASING
Information is available to an unprecedented number of workers.
Information on distributed computer networks is hard to control.
Customers and suppliers have access to each other’s systems and data.
Organizations have not adequately protected data for several reasons
Some companies view the loss of crucial information as a distant, unlikely threat.
The control implications of moving from centralized computer systems to Internet-based
systems are not fully understood.
Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement.
Productivity and cost pressures motivate management to forgo time-consuming control
measures.
Event
- Any potential adverse occurrence or unwanted event that could injure the AIS or the organization
Exposure
- The potential dollar loss should a particular threat become a reality
Likelihood
- The probability that a threat will come to pass
Expected loss
- The mathematical product of the potential dollar loss that would occur should a threat become a reality
Segregation of accounting duties
- Separating the accounting functions of authorization
Neural networks
(programs with learning capabilities) can accurately identify fraud. The
Visa and MasterCard operation at Mellon Bank uses a neural network to track 1.2 million
Fraud hotline
- A phone number
employees can call to anonymously report fraud and abuse
OVERVIEW OF CONTROL CONCEPTS
Internal controls
- The processes and procedures implemented to provide reasonable assurance that control objectives are met
Safeguard assets is to prevent or detect their unauthorized acquisition, use, or disposition.
Maintain records in sufficient detail to report company assets accurately and fairly.
Provide accurate and reliable information
Prepare financial reports in accordance with established criteria.
Promote and improve operational efficiency.
Encourage adherence to prescribed managerial policies.
Comply with applicable laws and regulations
Internal controls perform three important functions:
Preventive controls
- Deter problems before they arise.
Detective controls
- Discover problems that are not prevented.
Corrective controls
- Identify and correct problems as well as correct and recover from
the resulting errors.
Internal controls are often segregated into two categories
General controls
- Make sure an organization’s control environment is stable and well
managed.
Application controls
- Prevent, detect, and correct transaction errors and fraud in application programs.
Four levers of control to help
management reconcile the conflict between creativity and controls.
A belief system
- Describes how a company creates value, helps employees understand management's vision, communicates company core values
A boundary system
- Helps employees act ethically by setting boundaries on employee
behavior.
A diagnostic control system
- Measures, monitors, and compares actual company progress to budgets and performance goals.
An interactive control system
- Helps managers to focus subordinates’ attention on key
strategic issues and to be more involved in their decisions
THE FOREIGN CORRUPT PRACTICES AND SARBANES–OXLEY ACTS
Legislation passed to prevent companies from bribing foreign officials to obtain business
Sarbanes–Oxley Act
(SOX)
Legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies and punish executives who perpetrate fraud
Public Company Accounting Oversight Board (PCAOB)
A board created by SOX that regulates the auditing profession, created as part of SOX
Control Objectives for Information and Related Technology (COBIT)
A security and control framework that allows management to benchmark the security and control practices of IT environments
Users of IT services to be assured that adequate security and control exist
Committee of Sponsoring Organizations (COSO)
-A private sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants
Internal Control—
Integrated Framework (IC)
- A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control system
Enterprise Risk Management—Integrated Framework (ERM)
. ERM is the process
the board of directors and management use to set strategy
THE INTERNAL ENVIRONMENT
-The company culture that is the foundation for all other ERM components as it influences how organizations establish strategies and objectives
Risk appetite
- The amount of risk a company is willing to accept to achieve its goals and objectives
The audit committee
- Responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors, who report all critical accounting policies and practices to
them.
The policy and procedures manual
- A document that explains proper business practices, describes needed knowledge and experience explains document procedures
Backgrounds check
- Includes talking to references, checking for a criminal record, examining credit records
Operations objectives
which deal with the effectiveness and efficiency of company operations, determine how to allocate resources.
Reporting objectives
help ensure the accuracy, completeness, and reliability of company
reports; improve decision making; and monitor company activities and performance.
Compliance objectives
help the company comply with all applicable laws and regulations. Most compliance objectives, and many reporting objectives, are imposed by external
entities in response to laws or regulations
EVENT
- A positive or negative incident or occurrence from internal or external sources that affects implementation
Inherent risk
is the susceptibility of a set of accounts
or transactions to significant control problems in the absence of internal control.
Residual risk
- The risk that remains after management implements internal controls or some other response to risk