Deck 8 Accounting Information Systems Romney and Steinbart Linda Batch March 2012

Contents Learning Objectives – Recap COSO ERM already covered – COSO ERM 8 components of ERM Control Activities Information and Communication Monitoring – Microsoft Access Animal Shelter Forms – How to print out your tax form – Stop Start Continue

Recap Chapter 7 – Control and Accounting Info. Systems Definitions – Threat or event– a potential adverse or beneficial occurrence – Exposure or impact – the potential dollar loss from a threat / reputation loss – Likelihood – the probability that it will occur – Inherent Risk – risk prior to implementing controls – Residual Risk – risk that remains once controls are implemented Internal Control – Is the process implemented within your organization to provide reasonable assurance control objectives are achieved

Chapter 7 – Internal Controls Internal controls perform three functions – Preventive controls deter problems before they arise Segregating employee duties Controlling physical access to assets – Detective controls discover problems that were not prevented Preparing bank reconciliations Preparing monthly trial balances Duplicate checking of calculations – Corrective controls correct and recover from the resulting errors Maintaining backup copies of files Correcting data entry errors

Chapter 7 – Internal Controls General Controls make an organization’s control environment stable and well managed Security IT infrastructure Software acquisition Development Maintenance Application controls make sure transactions are processed correctly Accuracy Completeness Validity Authorization of the data captured, entered, processed, stored, and transmitted to other systems and reported. Internal controls are often segregated into two categories – General Controls – Application Controls

Chapter 7 – Control Frameworks Three frameworks will be discussed that are used to develop internal control systems – COBIT – Information and Systems Audit and Control Association developed it for control objectives for Information and related technology – COSO – Committee of Sponsoring Organizations developed an Internal Control – Integrated Framework (IC) – COSO – Enterprise Risk Management – Integrated Framework (ERM)

Chapter 7 – Control Frameworks COSO’s Internal Control Framework – Control Environment – the core of any business is its people – Control Activities – control policies and procedures – Risk Assessment – identify, analyze, and manage risks – Information and Communication – systems capture and exchange the information needed to conduct, manage, and control the organizations operations – Monitoring- the entire process must be monitored and evolve as conditions warrant. Limitations of this framework – Examines controls without looking at the purpose and risks of business processes and does not provide context to determine which control process are most important, whether they address the risks, and if controls are missing.

Chapter 7 – Control Frameworks COSO’s ERM Framework – Takes a risk based approach rather than a controls based approach – It adds three additional elements to COSO’s IC Framework Setting objectives Identifying events that may affect the company Developing a response to assessed risk – Controls become flexible and relevant because they are linked to business objectives – ERM model also recognizes that in addition to being controlled, risk can be accepted, avoided, diversified, shared or transferred Example of a transferred risk?

Chapter 7 – COSO ERM Model

Chapter 7 – COSO ERM (1) Internal Environment The company culture (internal environment) influences how the organization – Sets strategies and objectives – Structure business activities – Identifies, assesses, and responds to risk It is the foundation for the seven other ERM components (2) Objective Setting Management decides what the company hopes to achieve by defining a vision or mission Divided into more specific objectives as they are cascaded down the corporate ladder into the divisions, business units

Chapter 7 – COSO ERM (3) Event Identification – An event is an incident or occurrence, either internal or external, that affects the implementation of strategy or achievement of objectives (4,5) Risk Assessment and Response – Reduce Accept Share Avoid – Design effective controls and monitor the operation or application of those controls – For Risk assessment and response: a)Estimate likelihood and Impact b)Identify controls c)Estimate cost and benefits d)Determine cost/benefit effectiveness e)Implement control or accept, share or avoid risk

Chapter 7 – COSO ERM (6) Control Activities – This is Important Are policies and procedures that provide reasonable assurance that control objectives are met and risk responses are carried out – Control procedures are categorized below: a)Proper authorization of transactions and activities b)Segregation of duties (accounting and systems) c)Project develop and acquisition controls d)Change management controls e)Design and use of documents and records f)Safeguarding assets, records, and data g)Independent checks on performance

(6) Control activities - Segregation of Accounting Duties (Fig 7-3)

(6) Control Activities - Segregation of Accounting Duties In a business process (or computer system) that has effective segregation of duties, it is difficult for any single employee to embezzle successfully In the case where employees collude embezzling is more difficult to prevent Employees can collude with other employees, vendors, or customers

(6) Control Activities - Segregation of Accounting Duties – Most common employee / vendor collusions Billing at inflated prices Receiving full payment for substandard work Payment for non-performance Duplicate billing Improperly purchasing more goods from a colluding company – Most common employee / customer collusions Unauthorized loans Unauthorized insurance payments Receipt of assets or services at unauthorized discounted prices Forgiveness of amounts owed Unauthorized extension of due dates on receivables

(6) Control Activities - Segregation of System Duties Any person with unrestricted access to the computer, the programs, and the transactional data, can perpetrate and conceal fraud Authority and responsibility should be separate among the following functions – Systems administration – Network management – Security management – Change management – Users Systems staff do not have any access to change tables, software, master data, or run transactions in the production system. – Systems analysts – Programming – Computer operation – Information systems library – Data control

(6) Control Activities - Independent Checks on Performance Top level reviews – actual to budget to forecast, prior period and competitor comparisons Analytical reviews – Relationships between different sets of data (COGS to sales for example) Reconciliations of independently maintained record – Subledger to general ledger, bank statement to general ledger Actual quantities to recorded amounts – Physical inventory verification, fixed asset counts Double entry accounting – Total debits compared to total credits Independent review – External and internal audit – Compliance reviews

Chapter 7 – COSO ERM (7) Information and Communication Relates directly to the primary purpose of an AIS – Gather, record, process, store, summarize and communicate information about an organization – It includes understanding accounting records, procedures, supporting documents, and financial statements. AIS has five primary objectives according to AICPA – Identify and record all valid transactions – Properly classify transactions – Record transactions at their proper monetary value – Record transactions in the proper accounting period – Properly present transactions and related disclosures in the financial statements

Chapter 7 – COSO ERM (8) Monitoring ERM processes must be continually monitored – ERM evaluations – Implement effective supervision – Responsibility accounting systems (budgets, schedules etc) – Monitor system activities – Track purchased software and mobile devices – Conduct periodic audits – Computer Security Officer and Chief Compliance Officer – Engage forensic specialists to identify fraud – Install fraud detection software – Implement a fraud hotline

Chapter 7 – COSO ERM Model

Appendix – System Changes Systems staff do not have any access to change tables, software, master data, or run transactions in the production system.

Segregation of System Duties - Example Business decides they want to make a change – add a business unit due to an acquisition Business project lead is assigned They involve the business change control agents (such as managers for process improvements (MPI’s) for each of the business cycle areas) The MPI’s work with the business and subject matter experts to define the system requirements The Finance MPI will involve the corporate appointed business controls steward

Segregation of System Duties Systems analysts with the MPI write system change definition documents Systems changes will be made by the IT team in a test environment – Systems analysts will make changes to system parameters where programming is not specifically required (such as setting up new cost centers) – Programmers make changes to the computer programs – Hardware, internet connectivity, etc. is established by the basis and network communication teams – System access and system profiles are established for all new employees by the Systems Security team in the test environment (alignment of business functions and access)

Segregation of System Duties – Master data is updated in the test environment by business staff responsible for master data changes – Business and system tests scenarios are either pulled from the existing test database or are designed – A test manager is appointed and manages the coordination and execution of the system tests. They work with the MPI’s who coordinate the tests in each business function Tests are interdependent and require significant coordination. Accounting verifies accounting documents for all business streams Every test is formally approved by the stream and accounting – The Change Control manager gathers all the test documentation and solicits approval for the system changes from the MPI’s

Segregation of System Duties – Internal audit may perform a review to ensure consistency of process and approvals – If the project is large enough at system Cutover Manager is appointed. This person manages the system go live The production system is isolated from the business operations by turning off automated jobs etc. Master data is recreated in the production system by the appropriate business staff System changes are moved into the production system using transports (these need to be stacked in the correct order as changes can be interdependent) Some system functionality needs to be reestablished Sanity checking is executed to ensure the basic system functionality is working – each business cycle performs their sanity checking

Segregation of System Duties – The production system is turned back over to the business, automated jobs are set to run – For a period of time following the go live systems validations will continue – Post audits are completed several months later (ie tax changes) – Systems access validation processes are usually performed on a monthly or quarterly basis and will now encompass the new business unit – Business controls may be updated and new controls added depending on the nature of the new business Systems staff do not have any access to change tables, software, master data, or run transactions in the production system.