Presentation on theme: "Control and Accounting Information Systems"— Presentation transcript:
1Control and Accounting Information Systems Chapter 7
2Learning ObjectivesExplain basic control concepts and why computer control and security are important.Compare and contrast the COBIT, COSO, and ERM control frameworks.Describe the major elements in the internal environment of a company.Describe the four types of control objectives that companies need to set.Describe the events that affect uncertainty and the techniques used to identify them.Explain how to assess and respond to risk using the Enterprise Risk Management model.Describe control activities commonly used in companies.Describe how to communicate information and monitor control processes in organizations.
3Why Is Control Needed?Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.The probability that the threat will happen is the likelihood associated with the threat
4A Primary Objective of an AIS Is to control the organization so the organization can achieve its objectivesManagement expects accountants to:Take a proactive approach to eliminating system threats.Detect, correct, and recover from threats when they occur.
5Internal ControlsProcesses implemented to provide assurance that the following objectives are achieved:Safeguard assetsMaintain sufficient recordsProvide accurate and reliable informationPrepare financial reports according to established criteriaPromote and improve operational efficiencyEncourage adherence with management policiesComply with laws and regulations
6Functions of Internal Controls Preventive controlsDeter problems from occurringDetective controlsDiscover problems that are not preventedCorrective controlsIdentify and correct problems; correct and recover from the problems
7Control Frameworks COBIT COSO COSO-ERM Framework for IT control Framework for enterprise internal controls (control-based approach)COSO-ERMExpands COSO framework taking a risk-based approach
8COBIT Framework Current framework version is COBIT5 Based on the following principles:Meeting stakeholder needsCovering the enterprise end-to-endApplying a single, integrated frameworkEnabling a holistic approachSeparating governance from management
10Components of COSO Frameworks COSO-ERMControl (internal) environmentRisk assessmentControl activitiesInformation and communicationMonitoringInternal environmentObjective settingEvent identificationRisk assessmentRisk responseControl activitiesInformation and communicationMonitoring
11Internal EnvironmentManagement’s philosophy, operating style, and risk appetiteCommitment to integrity, ethical values, and competenceInternal control oversight by Board of DirectorsOrganizing structureMethods of assigning authority and responsibilityHuman resource standards
12Objective Setting Strategic objectives Operations objectives High-level goalsOperations objectivesEffectiveness and efficiency of operationsReporting objectivesImprove decision making and monitor performanceCompliance objectivesCompliance with applicable laws and regulations
13Event IdentificationIdentifying incidents both external and internal to the organization that could affect the achievement of the organizations objectivesKey Management Questions:What could go wrong?How can it go wrong?What is the potential harm?What can be done about it?
14Risk Assessment Risk is assessed from two perspectives: Likelihood Probability that the event will occurImpactEstimate potential loss if event occursTypes of riskInherentRisk that exists before plans are made to control itResidualRisk that is left over after you control it
15Risk Response Reduce Accept Share Avoid Implement effective internal controlAcceptDo nothing, accept likelihood and impact of riskShareBuy insurance, outsource, or hedgeAvoidDo not engage in the activity
16Control Activities Proper authorization of transactions and activities Segregation of dutiesProject development and acquisition controlsChange management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performance