Presentation is loading. Please wait.

Presentation is loading. Please wait.

Accounting Information Systems 7e

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Accounting Information Systems 7e"— Presentation transcript:

1 Accounting Information Systems 7e
Chapter 7 Controlling Information Systems: Introduction to Enterprise Risk Management and Internal Control Accounting Information Systems 7e Ulric J. Gelinas and Richard Dull Copyright © 2008 Thomson Southwestern, a part of The Thomson Corporation. Thomson, the Star logo, and South-Western are trademarks used herein under license.

2 Learning Objectives Summarize the eight elements of COSO’s Enterprise Risk Management—Integrated Framework. Understand that management employs internal control systems as part of organizational and IT governance initiatives. Describe how internal control systems assist organizations to achieve objectives and respond to risks. Describe fraud, computer fraud, and computer abuse. Enumerate control goals for operations and information processes. Describe the major categories of control plans.

3 Organizational Governance
Enterprise Risk Management Internal Control IT Control

4 Organizational Governance
A process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. Enterprise risk management (ERM) is a process established to achieve organizational objectives.

5 Enterprise Risk Management
A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

6 Management Objectives Addressed by ERM
Strategic: High-level goals aligned with and supporting its mission. Operation: Effective and efficient use of its resources. Reporting: Reliability of reporting. Compliance: Compliance with applicable laws and regulations.

7 Components of Enterprise Risk Management
Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis.

8 Components of Enterprise Risk Management (Continued)
Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both.

9 Risk Assessment Estimate the annual dollar loss that would occur (i.e., the impact) should a costly event, say a destructive fire, take place. For argument sake, say that the estimated loss is –$1,000,000. Estimate the annual probability that the event will occur (i.e., the likelihood). Suppose the estimate is 5 percent. Multiply item 1 by item 2 to get an initial expected gross risk (loss) of –$50,000 (–$1,000,000 × 0.05), which is the maximum amount or upper limit that should be paid for controls and the related risk reduction offered by such controls, in a given year. Next, we illustrate a recommendation plan using one corrective control, a fire insurance policy, and one preventive control, a sprinkler system. Assume that the company would pay $1,000 annually (cost of control) for a $20,000 fire insurance policy (reduced risk exposure due to control). The estimated monetary damage remains at $1 million and expected gross risk (loss) remains at –$50,000, because there is still a 5 percent chance that a fire could occur. But, the company’s residual expected risk exposure is now –$31,000 [–$50,000 + ($20,000 – $1,000)]. Our expected loss is reduced by the amount of the insurance policy (less the cost of the policy).

10 Risk Assessment (Cont.)
Next, you recommend that the company install a sprinkler system with a 5-year annualized cost (net present value) of $10,000 each year to install and maintain (cost of control). At this point you might be tempted to say that the company’s residual expected risk just increased to –$41,000 (–$31,000 – $10,000), but wait! The sprinkler system lowered the likelihood of a damaging fire from 5 to 2 percent. In conjunction with this lower probability, the insurance company agreed to increase its coverage to $30,000 while holding the annual premium constant at $1,000. Thus, the residual expected risk exposure is –$1,000, calculated as follows: Expected gross risk (–$20,000 or –$1,000,000 × 0.02) plus the insurance policy ($30,000) equals a gain of $10,000, but we must subtract the insurance premium ($1,000) and the sprinkler system ($10,000), leaving the residual expected risk at –$1,000.

11 Sarbanes-Oxley Act (SOA)
Sarbanes-Oxley Act (SOA) of 2002 Created public company accounting oversight board Increased accountability for company officers and board of directors Increased white collar crime penalties Prohibits audit firms from providing design and implementation of financial information systems

12 Sarbanes-Oxley Act of 2002 (SOA)
Section 302—CEOs and CFOs must certify quarterly and annual financial statements Section 404—Mandates the annual report filed with the SEC include an internal control report

13 Outline of SOA 2002

14 Definition of Internal Control
From SAS 78 (1995) - adopted COSO definition: INTERNAL CONTROL is a process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness & efficiency of operations Reliability of financial reporting Compliance with applicable laws & regulations.

15 Five Interrelated Components of Internal Control
1. Control environment- tone at the top 2. Risk assessment - identification/analysis of risks 3. Control activities - policies and procedures 4. Information & communication - processing of info in a form and time frame to enable people to do their jobs 5. Monitoring - process that assess quality of internal control over time

16 COSO Report, SOA, and SAS 94 In the section addressing implementation of the Sarbanes Oxley Act section 404, the SEC used the COSO description of internal control. It went on to say that management must base its evaluation of the effectiveness of its internal control system on a framework such as COSO COSO report stresses internal control is a process A complementary perspective on internal control is found in Statement on Auditing Standards (SAS) 94, entitled “The Effect on Information Technology on the Auditor’s Consideration of Internal Control in a Financial Statement Audit.” This standard guides auditors in understanding the impact of IT on internal control and assessing IT-related control risks Further, SAS 94 highlights how IT can be used to strengthen internal control, while at the same time emphasizing how IT can actually weaken some controls

17

18 Control Hierarchy The Control Environment The fact that the control environment appears at the top of the hierarchy illustrates that the control environment comprises a multitude of factors that can either reinforce or mitigate the effectiveness of the pervasive and application control plans.

19 Control Hierarchy(Cont.)
Pervasive control plans also relate to a multitude of goals and processes Like the control environment, they provide a climate or set of surrounding conditions in which the various business processes operate. They are broad in scope and apply equally to all business processes, hence they pervade all systems.

20 Control Hierarchy (Cont.)
Business process control plans relate to those controls particular to a specific process or subsystem, such as billing or cash receipts, or to a particular technology used to process the data.

21 Business Process Control Goals
Control Goals - ends to be obtained Control goals of operations processes Control goals of information processes

22 Control Goals of the Operations Process
Ensure effectiveness of operations Ensure efficient employment of resources Ensure security of resources

23 Control Goals of Operations Process
Ensure effectiveness of operations A measure of success in meeting one or more operations process goals which reflect the criteria used to judge the effectiveness of various business processes Ex. Deposit cash receipts on the day received Ensure efficient employment of resources A measure of the productivity of the resources applied to achieve a set of goals Ex. What is the cost of people, computers, and other resources to deposit cash on the day received Ensure security of resources Protecting an organization’s resources from loss, destruction, disclosure, copying, sale, or other misuse Ex. Are cash and information resources available when required? Are they put to authorized use?

24 Control Goals of the Information Process
For business event inputs, ensure Input validity Input completeness Input accuracy For master data, ensure update completeness update accuracy

25 Control Goals of Information Process
Input validity Input data approved and represent actual economic events and objects Ex. Are all cash receipts input into the process and supported by customer payments Input completeness Requires that all valid events or objects be captured and entered into the system Ex. Are all valid customer payment captured on a customer remittance advice (RA) and entered into the process? Input accuracy (correct data entered correctly) Input Accuracy Requires that events be correctly captured and entered into the system Ex. Is correct payment amount and customer number on the RA? Ex. Is the correct payment amount and customer number keyed into the system?

26 Control Goals of Information Process
Update completeness Requires all events entered into the computer are reflected in their respective master data Ex. Are all input cash receipts recorded in the AR master data? Update accuracy Requires that data entered into a computer are reflected correctly in their respective master data Ex. Are all input cash receipts correctly recorded in the AR master data?

27 Lenox Company Systems Flowchart

28 Control Goals for the Lenox Cash Receipts Process
Control Goals of the Lenox Cash Receipts Business Process Control goals of the operations process Control goals of the information process Ensure effectiveness of operations Ensure efficient employment of resources (e.g., people and computers) Ensure security of resources (e.g., checks and AR master data) For the remittance advice inputs, ensure: For the AR master data, ensure: A B IV IC IA UC UA Effectiveness goals include: A – Timely deposit of checks B – Comply with compensating balance agreements with the depository bank IV = Input validity IC = Input completeness IA = Input accuracy UC = Update completeness UA = Update accuracy

29 Other Classifications of Control Plans
Preventive Controls: Issue is prevented from occurring – cash receipts are immediately deposited to avoid loss Detective Controls: Issue is discovered – unauthorized disbursement is discovered during reconciliation Corrective Controls: issue is corrected – erroneous data is entered in the system and reported on an error and summary report; a clerk re-enters the data

Download ppt "Accounting Information Systems 7e"

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Controlling Information Systems:

Controlling Information Systems:
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Risk General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company:  Erroneous Financial.

Risk General Definition: exposure to the chance of adverse effects or loss; a hazard or dangerous chance Examples of risks to a company:  Erroneous Financial.
Controlling Information Systems: Introduction to Internal Control.

Controlling Information Systems: Introduction to Internal Control.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.

18- 1 © 2006 The McGraw-Hill Companies, Inc., All Rights Reserved. Chapter 18 Integrated Audits of Internal Control (For Public Companies Under Sarbanes-Oxley.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Internal Control Pertemuan 07 - 08 Matakuliah: F0204 / Sistem Akuntansi Tahun: 2007.

Internal Control Pertemuan Matakuliah: F0204 / Sistem Akuntansi Tahun: 2007.
IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS FL Jones and DV Rama.

IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESS FL Jones and DV Rama.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Similar presentations

Ads by Google