Control and Accounting Information Systems Chapter 7

INTRODUCTION Why AIS threats are increasing There are computers and servers everywhere, and information is available to an unprecedented number of workers. Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems. Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern. Wireless Technology

INTRODUCTION Historically, many organizations have not adequately protected their data due to one or more of the following reasons: Computer control problems are often underestimated and downplayed. Control implications of moving from centralized, host- based computer systems to those of a networked system or Internet-based system are not always fully understood. Companies have not realized that data is a strategic resource and that data security must be a strategic requirement. Productivity and cost pressures may motivate management to forego time-consuming control measures.

Why Is Control Needed? Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event. The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat. The probability that the threat will happen is the likelihood associated with the threat Many organizations have real risks by not adequately protecting their data. Although they may see the threat of the risk, many organizations underestimate the impact and the likleihood that a threat will occur.

A Primary Objective of an AIS Is to control the organization so the organization can achieve its objectives Management expects accountants to: Take a proactive approach to eliminating system threats. Detect, correct, and recover from threats when they occur.

Internal Controls Processes implemented to provide assurance that the following objectives are achieved: Safeguard assets/data Maintain sufficient records Provide accurate and reliable information Prepare financial reports according to established criteria Promote and improve operational efficiency Encourage adherence with management policies Comply with laws and regulations Good internal controls are necessary for an organization to achieve its goals.

Functions of Internal Controls Preventive controls Deter problems from occurring Detective controls Discover problems that are not prevented Corrective controls Identify and correct problems; correct and recover from the problems In addition to the functions of internal controls, controls are segregated into two categories: General controls which ensure that organization’s control environment is stable and well managed. Application controls that prevent, detect, and correct transaction errors and fraud in application programs.

IC Categories General Overall IC system and processes Application IT infrastructure Software acquisition Systems development Maintenance Application Transactions are processed correctly Data accurate Data complete Data valid Proper authorizations

Internal Control Preventive Control examples Hire qualified personnel Segregation of duties Chart of accounts Physical access controls Assets information Employee training

Internal Control Detective Control examples Preparing bank reconciliations Log analysis Fraud hotline Prepare monthly trial balance

Internal Control Correctives Control examples Back up copies of master and transaction files Adequate insurance Resubmission of transactions for subsequent processing Correction of data entry errors

Internal Control It is much easier to build controls into a system during the initial stage than to add them after the fact. Management expects accountants to be control consultants by: Taking a proactive approach to eliminating system threats; and Detecting, correcting, and recovering from threats when they do occur. Consequently, accountants and control experts should be members of the teams that develop or modify information systems.

Internal Control Internal control is a process because: It permeates an organization’s operating activities. It is an integral part of basic management activities. Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.

Internal Control Internal control systems have inherent limitations, including: They are susceptible to errors and poor decisions. They can be overridden by management or by collusion of two or more employees. Internal control objectives are often at odds with each other.

FOREIGN CORRUPT PRACTICES ACT In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. A significant effect was to require that corporations maintain good systems of internal accounting control. Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems. The resulting internal control improvements weren’t sufficient. Enron, World Com, Global Crossing, and others

Sarbanes Oxley (2002) Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud Public Company Accounting Oversight Board (PCAOB) Oversight of auditing profession New Auditing Rules Partners must rotate periodically Prohibited from performing certain non-audit services

Sarbanes Oxley (2002) New Roles for Audit Committee Be part of board of directors and be independent One member must be a financial expert Oversees external auditors New Rules for Management Financial statements and disclosures are fairly presented, were reviewed by management, and are not misleading. The auditors were told about all material internal control weak- nesses and fraud. New Internal Control Requirements Management is responsible for establishing and maintaining an adequate internal control system.

SEC Mandate After SOX Base evaluation of internal control on a recognized framework. Disclose all material internal control weaknesses. Conclude a company does not have effective financial reporting internal controls of material weaknesses.

Control Frameworks COBIT COSO COSO-ERM Framework for IT control Framework for enterprise internal controls (control-based approach) COSO-ERM Expands COSO framework taking a risk-based approach

COBIT5 Separates Governance from Management

Components of COSO Frameworks COSO-ERM Control (internal) environment Risk assessment Control activities Information and communication Monitoring Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring The major difference between COSO and COSO-ERM is that COSO-ERM’s focus is on a risk-based approach and the components are expanded for this approach (objective setting, event identification, and risk response are added). All of the other components are similar.

Internal Environment Management’s philosophy, operating style, and risk appetite Commitment to integrity, ethical values, and competence Internal control oversight by Board of Directors Organizing structure Methods of assigning authority and responsibility Human resource standards External Influences The internal environment establishes the foundation for all other components of the internal control model. Assessing the internal environment involves observance of the organizational behavior of management actions and evaluation of policies and procedures. For example, is there a written code of conduct that explicitly describes honest and dishonest behaviors. Does the company exhibit good hiring practices to by evaluating qualified applicants and conducting thorough background checks.

INTERNAL ENVIRONMENT Managements Philosophy, Style & Risk Appetite can be assessed by asking questions such as: Does management take undue business risks or assess potential risks and rewards before acting? Does management attempt to manipulate performance measures such as net income? Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?

INTERNAL ENVIRONMENT Commitment to integrity, ethical values, and competence Management must create an organizational culture that stresses integrity and commitment to both ethical values and competence. Ethical standards of behavior make for good business. Tone at the top is everything. Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.

INTERNAL ENVIRONMENT The board of directors An active and involved board of directors plays an important role in internal control. They should: Oversee management Scrutinize management’s plans, performance, and activities Approve company strategy Review financial results Annually review the company’s security policy Interact with internal and external auditors At least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries

INTERNAL ENVIRONMENT Organizational structure A company’s organizational structure defines its lines of authority, responsibility, and reporting. Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations. Statistically, fraud occurs more frequently in organizations with complex structures. The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; or The structure may be intentionally complex to facilitate the fraud

INTERNAL ENVIRONMENT Methods of assigning authority and responsibility Management should make sure: Employees understand the entity’s objectives. Authority and responsibility for business objectives is assigned to specific departments and individuals. Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives. Management: Must be sure to identify who is responsible for the IS security policy. Should monitor results so decisions can be reviewed and, if necessary, overruled.

INTERNAL ENVIRONMENT Human resources standards Employees are both the company’s greatest control strength and the greatest control weakness. Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required. Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.

INTERNAL ENVIRONMENT The following HR policies and procedures are important: Hiring Compensating Training Evaluating and promoting Discharging Managing disgruntled employees Vacations and rotation of duties Confidentiality insurance and fidelity bonds

INTERNAL ENVIRONMENT External influences External influences that affect the control environment include requirements imposed by: FASB PCAOB SEC Insurance commissions Regulatory agencies for banks, utilities, etc.

Objective Setting Strategic objectives Operations objectives High-level goals Operations objectives Effectiveness and efficiency of operations Reporting objectives Improve decision making and monitor performance Compliance objectives Compliance with applicable laws and regulations Objective setting is what the company hopes to achieve. This is broken down into four categories beginning from a high level to specific levels. Strategic objectives are high-level goals and may include considerations that involve the organizational direction relating to governance, business model, or strategy (e.g., grow market share) Operations objectives involve the operations which we can think of as people, process, and technology. Examples of these types of objectives include internal controls, supply chain and distribution, human resources. Reporting objectives ensure the accuracy and reliability of your reports. This would include objectives covering access to the systems and protecting the IT systems. In addition, ensuring adequate management review of the reports. Compliance objectives are focused on the compliance of all applicable laws and regulations. Many industries have specific regulations (e.g., food manufacturing and financial services). In addition, there are local, state, and federal laws that organizations must comply with meaning that there are environmental, legal, and contractual compliance considerations. It is also noted at the high level that an organizations risk appetite (how much risk is an organization willing to take?) and risk tolerance is formed. So in other words, there are trade-offs with risk in organizations. Organizations need to think about how much risk they are willing to take for a certain level of return. Of course there are uncertainties, that is why thinking about risk is so important.

Event Identification Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives Key Management Questions: What could go wrong? How can it go wrong? What is the potential harm? What can be done about it? Risk is two-sided: Opportunities (upside to uncertainty) Risk (downside to uncertainty) For example, a chocolate manufacturer that relies on sourcing its cacao beans from certain regions in Africa to get their signature blend of chocolate flavor for their truffles. Their organizational objective is to increase revenues and profitability. What could go wrong? We may not get enough supply of cacao beans to meet our customer demand. How can it go wrong? It is possible that the weather conditions produced a smaller crop limiting the supply; or it is possible that a civil war broke out in the African region and the crop produced, but no one was there to get the product off the trees in time due to the war. What is the potential harm? The cost of our cacao beans will go up do to limited supply, it will have an impact on our customers as we may have to increase our prices. What can be done about it? If we buy cacao bean futures on the market we may be able to hedge any potential risk due to our supply of cacao required to meet our customer demand to achieve our organizational goals of increasing revenues and profitability.

Risk Assessment Risk is assessed from two perspectives: Likelihood Probability that the event will occur Impact Estimate potential loss if event occurs Types of risk Inherent Risk that exists before plans are made to control it Residual Risk that is left over after you control it Risk assessment is perhaps the most difficult step for organizations because once they identify what can go wrong, organizations need to think about the probability that it actually will happen and estimate costs. This truly can be a daunting task with a lot of uncertainty! Many organizations will look at this task from a qualitative and quantitative perspective provided that they have enough data. From a qualitative perspective, management can simply assign high, medium, or low risk based upon their collective discussion. After assessing all the risks identified in this manner, a heat map can be generated to determine which risks have high (usually a red color), medium (orange color), or low (yellow color). Quantitative analysis can examine probabilistic techniques to model the cashflow or earnings based upon the risk identified.

Risk Response Reduce Accept Share Avoid Implement effective internal control Accept Do nothing, accept likelihood and impact of risk Share Buy insurance, outsource, or hedge Avoid Do not engage in the activity Management can respond to risk in four ways: Reduce the amount of risk by implementing internal controls Do nothing and accept the likelihood and impact of the risk Share the risk by buying insurance, doing a joint venture, or hedging transactions (chocolate company example in slide 7-13 notes) Avoid the risk entirely and sell off a division or not manufacture that product line

Event/Risk/Response Model Event identification The first step in risk assessment and response strategy is event identification.

Event/Risk/Response Model Estimate likelihood and impact Some events pose more risk because they are more probable than others. Some events pose more risk because their dollar impact would be more significant. Likelihood and impact must be considered together: If either increases, the materiality of the event and the need to protect against it rises. Expected loss = Impact x likelihood

Event/Risk/Response Model Identify controls Management must identify one or more controls that will protect the company from each event. In evaluating benefits of each control procedure, consider effectiveness and timing.

Event/Risk/Response Model All other factors equal: A preventive control is better than a detective one. However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover. Consequently, the three complement each other, and a good internal control system should have all three.

Event/Risk/Response Model Estimate costs and benefits It would be cost-prohibitive to create an internal control system that provided foolproof protection against all events. Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.

Event/Risk/Response Model The benefits of an internal control procedure must exceed its costs. Benefits can be hard to quantify, but include: Increased sales and productivity Reduced losses Better integration with customers and suppliers Increased customer loyalty Competitive advantages Lower insurance premiums

Event/Risk/Response Model Costs are usually easier to measure than benefits. Primary cost is personnel, including: Time to perform control procedures Costs of hiring additional employees to effectively segregate duties Costs of programming controls into a system

Event/Risk/Response Model Determine cost- benefit effectiveness After estimating benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change?

RISK ASSESSMENT AND RISK RESPONSE Implement the control or avoid, share, or accept the risk When controls are cost effective, they should be implemented so risk can be reduced.

Control Activities Proper authorization of transactions and activities Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguarding assets, records, and data Independent checks on performance

CONTROL ACTIVITIES Proper authorization of transactions and activities Management lacks the time and resources to supervise each employee activity and decision. Consequently, they establish policies and empower employees to perform activities within policy. This empowerment is called authorization and is an important part of an organization’s control procedures.

CONTROL ACTIVITIES Authorizations are often documented by signing initializing, or entering an authorization code. Computer systems can record digital signatures as a means of signing a document. Employees who process transactions should verify the presence of the appropriate authorizations. Auditors review transactions for proper authorization, as their absence indicates a possible control problem.

CONTROL ACTIVITIES Typically at least two levels of authorization: General authorization Management authorizes employees to handle routine transactions without special approval. Specific authorization For activities or transactions that are of significant consequences, management review and approval is required. Might apply to sales, capital expenditures, or write-offs over a particular dollar limit. Management should have written policies for both types of authorization and for all types of transactions.

CONTROL ACTIVITIES Segregation of Accounting Duties No one employee should be given too much responsibility Separate: Authorization Approving transactions and decisions Recording Preparing source documents Entering data into an AIS Maintaining accounting records Custody Handling cash, inventory, fixed assets Receiving incoming checks Writing checks

Segregation of System Duties Like accounting system duties should also be separated These duties include: System administration Network management Security management Change management Users Systems analysts Programmers Computer operators Information system librarian Data control

CONTROL ACTIVITIES Project development and acquisition controls It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies. Should contain appropriate controls for: Management review and approval Strategic Master Plan(Yearly reviews and updates) Project development plan Tasks to be performed Project manager Data processing schedule Performance measures Testing Implementation Conversion Post implementation review

CONTROL ACTIVITIES Change management controls Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances. Change management is the process of making sure that the changes do not negatively affect: Systems reliability Security Confidentiality Integrity Availability

CONTROL ACTIVITIES Design and use of adequate documents and records Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data. Form and content should be kept as simple as possible to: Promote efficient record keeping Minimize recording errors Facilitate review and verification Documents that initiate a transaction should contain a space for authorization. Those used to transfer assets should have a space for the receiving party’s signature.

CONTROL ACTIVITIES Documents should be sequentially pre- numbered: To reduce likelihood that they would be used fraudulently. To help ensure that all valid transactions are recorded. A good audit trail facilitates: Tracing individual transactions through the system. Correcting errors. Verifying system output.

CONTROL ACTIVITIES Safeguard assets, records, and data When people consider safeguarding assets, they most often think of cash and physical assets, such as inventory and equipment. Another company asset that needs to be protected is data.

CONTROL ACTIVITIES The following independent checks on performance are typically used: Top-level reviews Analytical reviews Reconciliation of independently maintained sets of records Comparison of actual quantities with recorded amounts Double-entry accounting Independent review

Information and Communication Primary purpose of an AIS Gather Record Process Summarize Communicate

Monitoring Perform internal control evaluations (e.g., internal audit) Implement effective supervision Use responsibility accounting systems (e.g., budgets) Monitor system activities Track purchased software and mobile devices Conduct periodic audits (e.g., external, internal, network security) Employ computer security officer Engage forensic specialists Install fraud detection software Implement fraud hotline