Please enable JavaScript.
Coggle requires JavaScript to display documents.
Control and Accounting Information Systems - Coggle Diagram
Control and Accounting
Information Systems
Internal Controls
Processes implemented to provide reasonable assurance that the following objectives are achieved:
Maintain sufficient records
Provide accurate and reliable information
Prepare financial reports according to established criteria
Promote and improve operational efficiency
Encourage adherence with management policies
Comply with laws and regulations
Safeguard assets
Functions of Internal Controls
Preventive controls
Deter problems from occurring
Detective controls
Discover problems that are not prevented
Corrective controls
Identify and correct problems; correct and recover from the problems
SOX AND THE FOREIGN CORRUPT PRACTICES ACT
In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement.
The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.
A significant side effect was to require that corporations maintain good systems of internal accounting control.
In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines.
The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX).
Applies to publicly held companies and their auditors
The intent of SOX is to:
Prevent financial statement fraud
Make financial reports more transparent
Protect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards of directors, management, and accountants operate.
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.
New rules for auditors
New rules for audit committees
New rules for management
New internal control requirements
After the passage of SOX, the SEC further mandated that:
Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter.
The report must contain a statement identifying the framework used.
Control Frameworks
COBIT COSO COSO-ERM Framework for IT control
COSO-ERM
-Expands COSO framework taking a risk-based approach
COBIT Framework Current framework version is COBIT5
Based on the following principles:
Meeting stakeholder needs
Covering the enterprise end-to-end
Applying a single, integrated framework
Enabling a holistic approach
Separating governance from management
CONTROL FRAMEWORKS COSO’s Internal Control Framework
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:
The American Accounting Association
The AICPA
The Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
Components of COSO Frameworks
COSO
Control (internal) environment
Risk assessment
Control activities
Information and communication
Monitoring
COSO-ERM
Internal environment
Objective setting
Event identification
Risk assessment
Risk response
Control activities
Information and communication
Monitoring
ERM Framework
Takes a risk-based, rather than controls-based, approach to the organization.
Oriented toward future and constant change.
Incorporates rather than replaces COSO’s internal control framework and contains three additional elements:
Setting objectives.
Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives.
Developing a response to assessed risk.
COSO developed a model to illustrate the elements of ERM.
Internal Environment
Is the foundation on which the other seven components rest.
The most critical component of the ERM and the internal control framework.
Influences how organizations:
Establish strategies and objectives
Structure business activities
Identify, access, and respond to risk
A deficient internal control environment often results in risk management and control breakdowns.
Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and responsibility
Human resource standards
The following human resource policies and procedures are important:
Hiring
Compensating
Training
Evaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of duties
Confidentiality, insurance and fidelity bonds
RISK ASSESSMENT AND RISK RESPONSE
The fourth and fifth components of COSO’s ERM model are risk assessment and risk response.
COSO indicates there are two types of risk:
-Inherent risk
-Residual risk
Companies should:
Assess inherent risk
Develop a response
Then assess residual risk
Risk Assessment
Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.
The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.
The probability that the threat will happen is the likelihood associated with the threat
Risk Response Reduce Accept Share Avoid
Share
Buy insurance, outsource, or hedge
Avoid
Do not engage in the activity
Accept
Do nothing, accept likelihood and impact of risk
Reduce Implement effective internal control
example:
Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft.
A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.
Companies with motion detectors only have about a .5% probability of catastrophic theft.
The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.
Should Hobby Hole install the motion detectors?
It is critical that controls be in place during the year-end holiday season. A disproportionate amount of computer fraud and security break- ins occur during this time because:
More people are on vacation and fewer around to mind the store.
Students are not tied up with school.
CONTROL ACTIVITIES
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
Proper Authorization of Transactions and Activities
Management lacks the time and resources to supervise each employee activity and decision.
Consequently, they establish policies and empower employees to perform activities within policy.
This empowerment is called authorization and is an important part of an organization’s control procedures.
Typically at least two levels of authorization:
General authorization
Management authorizes employees to handle routine transactions without special approval.
Special authorization
For activities or transactions that are of significant consequences, management review and approval is required.
Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.
Management should have written policies for both types of authorization and for all types of transactions.
Segregation of Duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes.
An employee should not be in a position to commit and conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting duties
Segregation of duties within the systems function
Segregation of Duties Within the Systems Function
In a highly integrated information system, procedures once performed by separate individuals are combined.
Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud.
To combat this threat, organizations must implement effective segregation of duties within the IS function.
CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administration
Network management
Security management
Change management
Users
Systems analysts
Programming
Computer operations
Information systems library
Data control
Project Development and Acquisition Controls
It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies.
Should contain appropriate controls for:
Management review and approval
User involvement
Analysis
Design
Testing
Implementation
Conversion
Change Management Controls
Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances.
Should contain appropriate controls for
Systems reliability
Security
Confidentiality
Integrity
Availability
Design and Use of Adequate Documents and Records:
Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data.:
Form and content should be kept as simple as possible to:
Promote efficient record keeping
Minimize recording errors
Facilitate review and verification
Documents that initiate a transaction should contain a space for authorization.
Those used to transfer assets should have a space for the receiving party’s signature.
Safeguard Assets, Records, and Data.