Please enable JavaScript.
Coggle requires JavaScript to display documents.
CHAPTER 7 - CONTROL AND ACCOUNTING INFORMATION SYSTEMS - Coggle Diagram
CHAPTER 7 - CONTROL AND ACCOUNTING INFORMATION SYSTEMS
Introduction
Why threats to AIS are increasing
exposure or impact
likelihood or risk
threat or an event
Control Frameworks
COSO’s Internal Control Framework
The
Committee of Sponsoring Organizations (COSO)
consists of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute.
In 1992, COSO issued
Internal Control Integrated Framework (IC)
, which is widely accepted as the authority on internal controls and is incorporated into policies, rules, and regulations used to control business activities.
COSO’S Enterprise Risk Management Framework
To improve the risk management process, COSO developed a second control framework called
Enterprise Risk Management Integrated Framework (ERM)
.
COBIT Framework
The Information Systems Audit and Control Association (ISACA) developed the
Control Objectives for Information and Related Technology (COBIT)
framework.
Applying a single, integrated framework
Enabling a holistic approach
Covering the enterprise end-to-end
Separating governance from management
Meeting stakeholder needs
The Enterprise Risk Management Framework Versus The Internal Control Framework
Control Activities
Change Management Controls
Design and Use of Documents and Records
Project Development and Acquisition Controls
project development plan
data processing schedule
strategic master plan
System performance measurements
steering committee
postimplementation review
Safeguard Assets, Records and Data
Maintain accurate records of all assets
Restrict access to assets
Create and enforce appropriate policies and procedures
Protect records and documents
Segregation of Duties
Segregation of Accounting Duties
Recording
Custody
Authorization
Segregation of Systems Duties
Change management
Users
Security management
Systems analysis
Network management
Programming
Systems administration
Computer operations
Information system library
Data control
Independent Checks on Performance
Reconciliation of independently maintained records
Comparison of actual quantities with recorded amounts
Analytical reviews
Double-entry accounting
Top-level reviews
Independent review
Proper Authorization of Transactions and Activities
Specific authorization
General authorization
Digital signature
Overview of Control Concepts
Internal controls
Often segregated
General controls
Application controls
4 levers of control
boundary system
diagnostic control system
belief system
interactive control system
Important functions
Detective controls
Corrective controls
Preventive controls
The Foreign Corrupt Practices and Sarbanes–Oxley Acts
In 1977, the
Foreign Corrupt Practices Act (FCPA)
was passed to prevent companies from bribing foreign officials to obtain business.
Sarbanes–Oxley Act (SOX)
New roles for audit committees
New rules for management
New rules for auditors
New internal control requirements
Public Company Accounting Oversight Board (PCAOB)
Objective Setting and Event Identification
Objective Settings
Operations objectives
, which deal with the effectiveness and efficiency of company operations, determine how to allocate resources
Reporting objectives
help ensure the accuracy, completeness, and reliability of company reports; improve decision making; and monitor company activities and performance.
Strategic objectives
, which are high-level goals that are aligned with the company’s mission, support it, and create shareholder value, are set first.
Compliance objectives
help the company comply with all applicable laws and regulations.
Event Identification
COSO defines an
event
as “an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.
The Internal Environment
Organizational Structure
A company’s organizational structure provides a framework for planning, executing, controlling, and monitoring operations.
Methods of Assigning Authority and Responsibility
The
policy and procedures manual
explains proper business practices, describes needed knowledge and experience, explains document procedures, explains how to handle transactions, and lists the resources provided to carry out specific duties.
Internal Control Oversight by the Board of Directors
SOX requires public companies to have an
audit committee
of outside, independent directors. The audit committee is responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors, who report all critical accounting policies and practices to them.
Human Resources Standards that Attract, Develop, Retain Competent Individuals
Discharging
Vacations and rotation of duties
Managing disgruntled employees
Confidentiality agreements and fidelity bond insurance
Training
Prosecute and incarcerate perpetrators
Compensating, evaluating and promoting
Hiring
A thorough
background check
includes talking to references, checking for a criminal record, examining credit records, and verifying education and work experience.
Commitment to Integrity, Ethical Values, and Competence
Organizations need a culture that stresses integrity and commitment to ethical values and competence. Ethics pays—ethical standards are good business Integrity starts at the top, as company employees adopt top management attitudes about risks and controls.
External Influences
External influences include requirements imposed by stock exchanges, the Financial Accounting Standards Board (FASB), the PCAOB, and the SEC.
Management's Philosophy, Operating Style, and Risk Appetite
Companies also have a
risk appetite
, which is the amount of risk they are willing to accept to achieve their goals. To avoid undue risk, risk appetite must be in alignment with company strategy.
Risk Assessment and Risk Response
Estimate Costs and Benefits
Determine Costs/Benefits Effectiveness
Identify Controls
Implement Control or Accept, Share, or Avoid the Risk
Estimate Likelihood and Impact
Communicate Information and Monitor Control Processes
Information and Communication
Information and communication systems should capture and exchange the information needed to conduct, manage, and control the organization’s operations.
Monitoring
Track Purchased Software and Mobile Devices
Conduct Periodic Audits
Monitor System Activities
Employ a Computer Security Officer and a Chief Compliance Officer
Use Responsibility Accounting Systems
Engage Forensic Specialists
Implement Effective Supervision
Install Fraud Detection Software
Perform Internal Control Evaluations
Implement a Fraud Hotline