Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1

Learning Objectives  Explain basic control concepts and explain why computer control and security are important.  Compare and contrast the COBIT, COSO, and ERM control frameworks.  Describe the major elements in the internal environment of a company  Describe the four types of control objectives that companies need to set.  Describe the events that affect uncertainty and the techniques used to identify them.  Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model.  Describe control activities commonly used in companies.  Describe how to communicate information and monitor control processes in organizations. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-2

Internal Control  System to provide reasonable assurance that objectives are met such as:  Safeguard assets.  Maintain records in sufficient detail to report company assets accurately and fairly.  Provide accurate and reliable information.  Prepare financial reports in accordance with established criteria.  Promote and improve operational efficiency.  Encourage adherence to prescribed managerial policies.  Comply with applicable laws and regulations. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-3

Internal Control Functions  Preventive  Deter problems  Detective  Discover problems  Corrective  Correct problems Categories  General  Overall IC system and processes  Application  Transactions are processed correctly Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-4

Sarbanes Oxley (2002)  Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud  Public Company Accounting Oversight Board (PCAOB)  Oversight of auditing profession  New Auditing Rules  Partners must rotate periodically  Prohibited from performing certain non-audit services Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-5

Sarbanes Oxley (2002)  New Roles for Audit Committee  Be part of board of directors and be independent  One member must be a financial expert  Oversees external auditors  New Rules for Management  Financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.  The auditors were told about all material internal control weak- nesses and fraud.  New Internal Control Requirements  Management is responsible for establishing and maintaining an adequate internal control system. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-6

SOX Management Rules  Base evaluation of internal control on a recognized framework.  Disclose all material internal control weaknesses.  Conclude a company does not have effective financial reporting internal controls of material weaknesses. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-7

Internal Control Frameworks  Control Objectives for Information and Related Technology (COBIT)  Business objectives  IT resources  IT processes  Committee of Sponsoring Organizations (COSO)  Internal control—integrated framework  Control environment  Control activities  Risk assessment  Information and communication  Monitoring Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-8

Internal Control  Enterprise Risk Management Model  Risk-based vs. control-based  COSO elements +  Setting objectives  Event identification  Risk assessment  Can be controlled but also  Accepted  Diversified  Shared  Transferred Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-9

Control Environment  Management’s philosophy, operating style, and risk appetite  The board of directors  Commitment to integrity, ethical values, and competence  Organizational structure  Methods of assigning authority and responsibility  Human resource standards  External influences Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-10

ERM—Objective Setting  Strategic  High-level goals aligned with corporate mission  Operational  Effectiveness and efficiency of operations  Reporting  Complete and reliable  Improve decision making  Compliance  Laws and regulations are followed Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-11

ERM—Event Identification  “…an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.”  Positive or negative impacts (or both)  Events may trigger other events  All events should be anticipated Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-12

Risk Assessment  Identify Risk  Identify likelihood of risk  Identify positive or negative impact  Types of Risk  Inherent  Risk that exists before any plans are made to control it  Residual  Remaining risk after controls are in place to reduce it Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-13

ERM—Risk Response  Reduce  Implement effective internal control  Accept  Do nothing, accept likelihood of risk  Share  Buy insurance, outsource, hedge  Avoid  Do not engage in activity that produces risk Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-14

Event/Risk/Response Model Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-15

Control Activities  Policies and procedures to provide reasonable assurance that control objectives are met:  Proper authorization of transactions and activities  Signature or code on document to signal authority over a process  Segregation of duties  Project development and acquisition controls  Change management controls  Design and use of documents and records  Safeguarding assets, records, and data  Independent checks on performance Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-16

Segregation of Accounting Duties  No one employee should be given too much responsibility  Separate:  Authorization  Approving transactions and decisions  Recording  Preparing source documents  Entering data into an AIS  Maintaining accounting records  Custody  Handling cash, inventory, fixed assets  Receiving incoming checks  Writing checks Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-17

Information and Communication  Primary purpose of an AIS  Gather  Record  Process  Summarize  Communicate Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-18

Monitoring  Evaluate internal control framework.  Effective supervision.  Responsibility accounting system.  Monitor system activities.  Track purchased software and mobile devices.  Conduct periodic audits.  Employ a security officer and compliance officer.  Engage forensic specialists.  Install fraud detection software.  Implement a fraud hotline. Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-19

Segregation of System Duties  Like accounting system duties should also be separated  These duties include:  System administration  Network management  Security management  Change management  Users  Systems analysts  Programmers  Computer operators  Information system librarian  Data control Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-20