Please enable JavaScript.
Coggle requires JavaScript to display documents.
Chapter 7: Control and Accounting Information Systems, Objective Setting…
Chapter 7: Control and Accounting
Information Systems
Control Frameworks
COSO’S INTERNAL CONTROL FRAMEWORK
Committee of Sponsoring Organizations (COSO)
A private sector group consisting of the American Accounting Association, the AICPA, the Institute of
Internal Auditors, the Institute of Management Accountants and the Financial Executives Institute
Internal Control—Integrated
Framework (IC)
A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems.
COSO’S ENTERPRISE RISK MANAGEMENT FRAMEWORK
Enterprise Risk Management—Integrated Framework (ERM)
process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals.
COBIT FRAMEWORK
5 key principles of IT governance and management (COBIT 5)
Applying a single, integrated framework
can be aligned at a high level with
other standards and frameworks
Enabling a holistic approach
provides a holistic approach that results in effective governance and management of all IT functions in the company.
Covering the enterprise end-to-end
does not just focus on the IT operation, it integrates all IT functions and processes into companywide functions and processes.
Separating governance from management
distinguishes between governance and management.
Meeting stakeholder needs
helps users customize business processes and procedures to create an information system that adds value to its stakeholder
THE ENTERPRISE RISK MANAGEMENT FRAMEWORK VERSUS THE INTERNAL
CONTROL FRAMEWORK
The Internal Environment
ORGANIZATIONAL STRUCTURE
company’s organizational structure
provides a framework for planning, executing, controlling, and monitoring operations
Importantance of organizational structure
Centralization or decentralization of authority
A direct or matrix reporting relationship
Size and nature of company activities
METHODS OF ASSIGNING AUTHORITY AND RESPONSIBILITY
Management should make sure
assign authority and responsibility for goals and objectives to departments and individuals
e employees understand entity goals and objectives
hold the individuals accountable for achieving them
encourage the use of initiative to solve problems.
INTERNAL CONTROL OVERSIGHT BY THE BOARD OF DIRECTORS
involved board of directors
represents shareholders and provides an independent review of management that acts as a check and balance on its actions.
SOX requires public companies to have an audit committee of outside, independent directors
responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors, who report all critical accounting policies and practices to them.
HUMAN RESOURCES STANDARDS THAT ATTRACT, DEVELOP, AND RETAIN
COMPETENT INDIVIDUALS
HR policies
MANAGING DISGRUNTLED EMPLOYEES
Companies need procedures to identify disgruntled employees
DISCHARGING
Dismissed employees should be removed from sensitive jobs immediately
TRAINING
Training programs should teach to the new employees
VACATIONS AND ROTATION OF DUTIES
COMPENSATING, EVALUATING, AND PROMOTING
CONFIDENTIALITY AGREEMENTS AND FIDELITY BOND INSURANCE
All employees, suppliers, and contractors should sign and abide by a confidentiality agreement
HIRING
Employees should be hired
PROSECUTE AND INCARCERATE PERPETRATORS
Most fraud is not reported or prosecuted
for several reasons
COMMITMENT TO INTEGRITY, ETHICAL VALUES, AND COMPETENCE
Organizations need a culture that stresses integrity and commitment to ethical values and competence
EXTERNAL INFLUENCES
include requirements imposed by stock exchanges
MANAGEMENT’S PHILOSOPHY, OPERATING STYLE, AND RISK APPETITE
risk appetite
the amount of risk they are willing to accept to achieve their goals
an organization has a philosophy
The more responsible management’s philosophy and operating style, and the more clearly they are communicated
Risk Assessment and Risk Response
Inherent risk
the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control.
Residual risk
the risk that remains after management implements internal controls or some other response to risk
Strategy
IDENTIFY CONTROLS
ESTIMATE COSTS AND BENEFITS
ESTIMATE LIKELIHOOD AND IMPACT
DETERMINE COST/BENEFIT EFFECTIVENESS
IMPLEMENT CONTROL OR ACCEPT, SHARE, OR AVOID THE RISK
the way to respond to risk
Accept
Accept the likelihood and impact of the risk
Share
Share risk or transfer it to someone else by buying insurance
Reduce
Reduce the likelihood and impact of risk by implementing an effective system of internal controls.
Avoid
Avoid risk by not engaging in the activity that produces the risk
Control Activities
Control procedures fall into the following categories
Change management controls
. Design and use of documents and records
Project development and acquisition controls
Safeguarding assets, records, and data
Segregation of duties
Independent checks on performance
Proper authorization of transactions and activities
how a violation of specific control activities, combined with internal environment factors, resulted in a fraud.
CHANGE MANAGEMENT CONTROLS
DESIGN AND USE OF DOCUMENTS AND RECORDS
PROJECT DEVELOPMENT AND ACQUISITION CONTROLS
project development plan
System performance measurement
project development plan
postimplementation review
strategic master plan
steering committee
SAFEGUARD ASSETS, RECORDS, AND DATA
Protect records and documents
Restrict access to assets
Maintain accurate records of all assets
Create and enforce appropriate policies and procedures
SEGREGATION OF DUTIES
SEGREGATION OF SYSTEMS DUTIES
SEGREGATION OF ACCOUNTING DUTIES
INDEPENDENT CHECKS ON PERFORMANCE
Reconciliation of independently maintained records
Analytical reviews
Double-entry accounting
Top-level reviews
Independent review
Comparison of actual quantities with recorded amounts
PROPER AUTHORIZATION OF TRANSACTIONS AND ACTIVITIES
Communicate Information and Monitor Control Processes
component
INFORMATION AND COMMUNICATION
MONITORING
EMPLOY A COMPUTER SECURITY OFFICER AND A CHIEF COMPLIANCE OFFICER
TRACK PURCHASED SOFTWARE AND MOBILE DEVICES
ENGAGE FORENSIC SPECIALISTS
IMPLEMENT EFFECTIVE SUPERVISION
INSTALL FRAUD DETECTION SOFTWARE
PERFORM INTERNAL CONTROL EVALUATIONS
IMPLEMENT A FRAUD HOTLINE
USE RESPONSIBILITY ACCOUNTING SYSTEMS
CONDUCT PERIODIC AUDITS
MONITOR SYSTEM ACTIVITIES
Objective Setting and Event Identification
OBJECTIVE SETTING
Operations objectives
deal with the effectiveness and efficiency of company operations
determine how to allocate resources
Reporting objectives
help ensure the accuracy, completeness, and reliability of company reports
improve decision making
monitor company activities and performance.
Strategic objectives
high-level goals that are aligned with the company’s mission
Compliance objectives
help the company comply with all applicable laws and regulations
EVENT IDENTIFICATION
COSO defines an event as
an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impacts or both.
a
negative event
represents a risk
A
positive event
represents an opportunity