Presentation on theme: "Control and Accounting Information Systems"— Presentation transcript:
1 Control and Accounting Information Systems Chapter 7
2 INTRODUCTION Why AIS threats are increasing There are computers and servers everywhere, and information is available to an unprecedented number of workers.Distributed computer networks make data available to many users, and these networks are harder to control than centralized mainframe systems.Wide area networks are giving customers and suppliers access to each other’s systems and data, making confidentiality a major concern.Wireless Technology
3 INTRODUCTIONHistorically, many organizations have not adequately protected their data due to one or more of the following reasons:Computer control problems are often underestimated and downplayed.Control implications of moving from centralized, host- based computer systems to those of a networked system or Internet-based system are not always fully understood.Companies have not realized that data is a strategic resource and that data security must be a strategic requirement.Productivity and cost pressures may motivate management to forego time-consuming control measures.
4 Why Is Control Needed?Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.The probability that the threat will happen is the likelihood associated with the threatMany organizations have real risks by not adequately protecting their data. Although they may see the threat of the risk, many organizations underestimate the impact and the likleihood that a threat will occur.
5 A Primary Objective of an AIS Is to control the organization so the organization can achieve its objectivesManagement expects accountants to:Take a proactive approach to eliminating system threats.Detect, correct, and recover from threats when they occur.
6 Internal ControlsProcesses implemented to provide assurance that the following objectives are achieved:Safeguard assets/dataMaintain sufficient recordsProvide accurate and reliable informationPrepare financial reports according to established criteriaPromote and improve operational efficiencyEncourage adherence with management policiesComply with laws and regulationsGood internal controls are necessary for an organization to achieve its goals.
7 Functions of Internal Controls Preventive controlsDeter problems from occurringDetective controlsDiscover problems that are not preventedCorrective controlsIdentify and correct problems; correct and recover from the problemsIn addition to the functions of internal controls, controls are segregated into two categories:General controls which ensure that organization’s control environment is stable and well managed.Application controls that prevent, detect, and correct transaction errors and fraud in application programs.
8 IC Categories General Overall IC system and processes Application IT infrastructureSoftware acquisitionSystems developmentMaintenanceApplicationTransactions are processed correctlyData accurateData completeData validProper authorizations
9 Internal Control Preventive Control examples Hire qualified personnel Segregation of dutiesChart of accountsPhysical access controlsAssetsinformationEmployee training
10 Internal Control Detective Control examples Preparing bank reconciliationsLog analysisFraud hotlinePrepare monthly trial balance
11 Internal Control Correctives Control examples Back up copies of master and transaction filesAdequate insuranceResubmission of transactions for subsequent processingCorrection of data entry errors
12 Internal ControlIt is much easier to build controls into a system during the initial stage than to add them after the fact.Management expects accountants to be control consultants by:Taking a proactive approach to eliminating system threats; andDetecting, correcting, and recovering from threats when they do occur.Consequently, accountants and control experts should be members of the teams that develop or modify information systems.
13 Internal Control Internal control is a process because: It permeates an organization’s operating activities.It is an integral part of basic management activities.Internal control provides reasonable, rather than absolute, assurance, because complete assurance is difficult or impossible to achieve and prohibitively expensive.
14 Internal ControlInternal control systems have inherent limitations, including:They are susceptible to errors and poor decisions.They can be overridden by management or by collusion of two or more employees.Internal control objectives are often at odds with each other.
15 FOREIGN CORRUPT PRACTICES ACT In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement.The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.A significant effect was to require that corporations maintain good systems of internal accounting control.Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems.The resulting internal control improvements weren’t sufficient.Enron, World Com, Global Crossing, and others
16 Sarbanes Oxley (2002)Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraudPublic Company Accounting Oversight Board (PCAOB)Oversight of auditing professionNew Auditing RulesPartners must rotate periodicallyProhibited from performing certain non-audit services
17 Sarbanes Oxley (2002) New Roles for Audit Committee Be part of board of directors and be independentOne member must be a financial expertOversees external auditorsNew Rules for ManagementFinancial statements and disclosures are fairly presented, were reviewed by management, and are not misleading.The auditors were told about all material internal control weak- nesses and fraud.New Internal Control RequirementsManagement is responsible for establishing and maintaining an adequate internal control system.
18 SEC Mandate After SOXBase evaluation of internal control on a recognized framework.Disclose all material internal control weaknesses.Conclude a company does not have effective financial reporting internal controls of material weaknesses.
19 Control Frameworks COBIT COSO COSO-ERM Framework for IT control Framework for enterprise internal controls (control-based approach)COSO-ERMExpands COSO framework taking a risk-based approach
21 Components of COSO Frameworks COSO-ERMControl (internal) environmentRisk assessmentControl activitiesInformation and communicationMonitoringInternal environmentObjective settingEvent identificationRisk assessmentRisk responseControl activitiesInformation and communicationMonitoringThe major difference between COSO and COSO-ERM is that COSO-ERM’s focus is on a risk-based approach and the components are expanded for this approach (objective setting, event identification, and risk response are added).All of the other components are similar.
23 Internal EnvironmentManagement’s philosophy, operating style, and risk appetiteCommitment to integrity, ethical values, and competenceInternal control oversight by Board of DirectorsOrganizing structureMethods of assigning authority and responsibilityHuman resource standardsExternal InfluencesThe internal environment establishes the foundation for all other components of the internal control model.Assessing the internal environment involves observance of the organizational behavior of management actions and evaluation of policies and procedures. For example, is there a written code of conduct that explicitly describes honest and dishonest behaviors. Does the company exhibit good hiring practices to by evaluating qualified applicants and conducting thorough background checks.
24 INTERNAL ENVIRONMENTManagements Philosophy, Style & Risk Appetite can be assessed by asking questions such as:Does management take undue business risks or assess potential risks and rewards before acting?Does management attempt to manipulate performance measures such as net income?Does management pressure employees to achieve results regardless of methods or do they demand ethical behavior?
25 INTERNAL ENVIRONMENTCommitment to integrity, ethical values, and competenceManagement must create an organizational culture that stresses integrity and commitment to both ethical values and competence.Ethical standards of behavior make for good business.Tone at the top is everything.Employees will watch the actions of the CEO, and the message of those actions (good or bad) will tend to permeate the organization.
26 INTERNAL ENVIRONMENT The board of directors An active and involved board of directors plays an important role in internal control.They should:Oversee managementScrutinize management’s plans, performance, and activitiesApprove company strategyReview financial resultsAnnually review the company’s security policyInteract with internal and external auditorsAt least a majority should be independent, outside directors not affiliated with the company or any of its subsidiaries
27 INTERNAL ENVIRONMENT Organizational structure A company’s organizational structure defines its lines of authority, responsibility, and reporting.Provides the overall framework for planning, directing, executing, controlling, and monitoring its operations.Statistically, fraud occurs more frequently in organizations with complex structures.The structures may unintentionally impede communication and clear assignment of responsibility, making fraud easier to commit and conceal; orThe structure may be intentionally complex to facilitate the fraud
28 INTERNAL ENVIRONMENT Methods of assigning authority and responsibility Management should make sure:Employees understand the entity’s objectives.Authority and responsibility for business objectives is assigned to specific departments and individuals.Ownership of responsibility encourages employees to take initiative in solving problems and holds them accountable for achieving objectives.Management:Must be sure to identify who is responsible for the IS security policy.Should monitor results so decisions can be reviewed and, if necessary, overruled.
29 INTERNAL ENVIRONMENT Human resources standards Employees are both the company’s greatest control strength and the greatest control weakness.Organizations can implement human resource policies and practices with respect to hiring, training, compensating, evaluating, counseling, promoting, and discharging employees that send messages about the level of competence and ethical behavior required.Policies on working conditions, incentives, and career advancement can powerfully encourage efficiency and loyalty and reduce the organization’s vulnerability.
30 INTERNAL ENVIRONMENTThe following HR policies and procedures are important:HiringCompensatingTrainingEvaluating and promotingDischargingManaging disgruntled employeesVacations and rotation of dutiesConfidentiality insurance and fidelity bonds
31 INTERNAL ENVIRONMENT External influences External influences that affect the control environment include requirements imposed by:FASBPCAOBSECInsurance commissionsRegulatory agencies for banks, utilities, etc.
32 Objective Setting Strategic objectives Operations objectives High-level goalsOperations objectivesEffectiveness and efficiency of operationsReporting objectivesImprove decision making and monitor performanceCompliance objectivesCompliance with applicable laws and regulationsObjective setting is what the company hopes to achieve. This is broken down into four categories beginning from a high level to specific levels.Strategic objectives are high-level goals and may include considerations that involve the organizational direction relating to governance, business model, or strategy (e.g., grow market share)Operations objectives involve the operations which we can think of as people, process, and technology. Examples of these types of objectives include internal controls, supply chain and distribution, human resources.Reporting objectives ensure the accuracy and reliability of your reports. This would include objectives covering access to the systems and protecting the IT systems. In addition, ensuring adequate management review of the reports.Compliance objectives are focused on the compliance of all applicable laws and regulations. Many industries have specific regulations (e.g., food manufacturing and financial services). In addition, there are local, state, and federal laws that organizations must comply with meaning that there are environmental, legal, and contractual compliance considerations.It is also noted at the high level that an organizations risk appetite (how much risk is an organization willing to take?) and risk tolerance is formed. So in other words, there are trade-offs with risk in organizations. Organizations need to think about how much risk they are willing to take for a certain level of return. Of course there are uncertainties, that is why thinking about risk is so important.
33 Event IdentificationIdentifying incidents both external and internal to the organization that could affect the achievement of the organizations objectivesKey Management Questions:What could go wrong?How can it go wrong?What is the potential harm?What can be done about it?Risk is two-sided:Opportunities (upside to uncertainty)Risk (downside to uncertainty)For example, a chocolate manufacturer that relies on sourcing its cacao beans from certain regions in Africa to get their signature blend of chocolate flavor for their truffles. Their organizational objective is to increase revenues and profitability.What could go wrong?We may not get enough supply of cacao beans to meet our customer demand.How can it go wrong?It is possible that the weather conditions produced a smaller crop limiting the supply; orit is possible that a civil war broke out in the African region and the crop produced, but no one wasthere to get the product off the trees in time due to the war.What is the potential harm?The cost of our cacao beans will go up do to limited supply, it will have an impact on our customers as wemay have to increase our prices.What can be done about it?If we buy cacao bean futures on the market we may be able to hedge any potential risk due to oursupply of cacao required to meet our customer demand to achieve our organizational goals of increasingrevenues and profitability.
34 Risk Assessment Risk is assessed from two perspectives: Likelihood Probability that the event will occurImpactEstimate potential loss if event occursTypes of riskInherentRisk that exists before plans are made to control itResidualRisk that is left over after you control itRisk assessment is perhaps the most difficult step for organizations because once they identify what can go wrong, organizations need to think about the probability that it actually will happen and estimate costs. This truly can be a daunting task with a lot of uncertainty!Many organizations will look at this task from a qualitative and quantitative perspective provided that they have enough data. From a qualitative perspective, management can simply assign high, medium, or low risk based upon their collective discussion. After assessing all the risks identified in this manner, a heat map can be generated to determine which risks have high (usually a red color), medium (orange color), or low (yellow color).Quantitative analysis can examine probabilistic techniques to model the cashflow or earnings based upon the risk identified.
35 Risk Response Reduce Accept Share Avoid Implement effective internal controlAcceptDo nothing, accept likelihood and impact of riskShareBuy insurance, outsource, or hedgeAvoidDo not engage in the activityManagement can respond to risk in four ways:Reduce the amount of risk by implementing internal controlsDo nothing and accept the likelihood and impact of the riskShare the risk by buying insurance, doing a joint venture, or hedging transactions (chocolate company example in slide 7-13 notes)Avoid the risk entirely and sell off a division or not manufacture that product line
36 Event/Risk/Response Model Event identificationThe first step in risk assessment and response strategy is event identification.
37 Event/Risk/Response Model Estimate likelihood and impactSome events pose more risk because they are more probable than others.Some events pose more risk because their dollar impact would be more significant.Likelihood and impact must be considered together:If either increases, the materiality of the event and the need to protect against it rises.Expected loss = Impact x likelihood
38 Event/Risk/Response Model Identify controlsManagement must identify one or more controls that will protect the company from each event.In evaluating benefits of each control procedure, consider effectiveness and timing.
39 Event/Risk/Response Model All other factors equal:A preventive control is better than a detective one.However, if preventive controls fail, detective controls are needed to discover the problem, and corrective controls are needed to recover.Consequently, the three complement each other, and a good internal control system should have all three.
40 Event/Risk/Response Model Estimate costs and benefitsIt would be cost-prohibitive to create an internal control system that provided foolproof protection against all events.Also, some controls negatively affect operational efficiency, and too many controls can make it very inefficient.
41 Event/Risk/Response Model The benefits of an internal control procedure must exceed its costs.Benefits can be hard to quantify, but include:Increased sales and productivityReduced lossesBetter integration with customers and suppliersIncreased customer loyaltyCompetitive advantagesLower insurance premiums
42 Event/Risk/Response Model Costs are usually easier to measure than benefits.Primary cost is personnel, including:Time to perform control proceduresCosts of hiring additional employees to effectively segregate dutiesCosts of programming controls into a system
43 Event/Risk/Response Model Determine cost- benefit effectivenessAfter estimating benefits and costs, management determines if the control is cost beneficial, i.e., is the cost of implementing a control procedure less than the change in expected loss that would be attributable to the change?
44 RISK ASSESSMENT AND RISK RESPONSE Implement the control or avoid, share, or accept the riskWhen controls are cost effective, they should be implemented so risk can be reduced.
45 Control Activities Proper authorization of transactions and activities Segregation of dutiesProject development and acquisition controlsChange management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performance
46 CONTROL ACTIVITIES Proper authorization of transactions and activities Management lacks the time and resources to supervise each employee activity and decision.Consequently, they establish policies and empower employees to perform activities within policy.This empowerment is called authorization and is an important part of an organization’s control procedures.
47 CONTROL ACTIVITIESAuthorizations are often documented by signing initializing, or entering an authorization code.Computer systems can record digital signatures as a means of signing a document.Employees who process transactions should verify the presence of the appropriate authorizations.Auditors review transactions for proper authorization, as their absence indicates a possible control problem.
48 CONTROL ACTIVITIES Typically at least two levels of authorization: General authorizationManagement authorizes employees to handle routine transactions without special approval.Specific authorizationFor activities or transactions that are of significant consequences, management review and approval is required.Might apply to sales, capital expenditures, orwrite-offs over a particular dollar limit.Management should have written policies for both types of authorization and for all types of transactions.
49 CONTROL ACTIVITIES Segregation of Accounting Duties No one employee should be given too much responsibilitySeparate:AuthorizationApproving transactions and decisionsRecordingPreparing source documentsEntering data into an AISMaintaining accounting recordsCustodyHandling cash, inventory, fixed assetsReceiving incoming checksWriting checks
51 Segregation of System Duties Like accounting system duties should also be separatedThese duties include:System administrationNetwork managementSecurity managementChange managementUsersSystems analystsProgrammersComputer operatorsInformation system librarianData control
52 CONTROL ACTIVITIES Project development and acquisition controls It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies.Should contain appropriate controls for:Management review and approvalStrategic Master Plan(Yearly reviews and updates)Project development planTasks to be performedProject managerData processing schedulePerformance measuresTestingImplementationConversionPost implementation review
53 CONTROL ACTIVITIES Change management controls Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances.Change management is the process of making sure that the changes do not negatively affect:Systems reliabilitySecurityConfidentialityIntegrityAvailability
54 CONTROL ACTIVITIES Design and use of adequate documents and records Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data.Form and content should be kept as simple as possible to:Promote efficient record keepingMinimize recording errorsFacilitate review and verificationDocuments that initiate a transaction should contain a space for authorization.Those used to transfer assets should have a space for the receiving party’s signature.
55 CONTROL ACTIVITIES Documents should be sequentially pre- numbered: To reduce likelihood that they would be used fraudulently.To help ensure that all valid transactions are recorded.A good audit trail facilitates:Tracing individual transactions through the system.Correcting errors.Verifying system output.
56 CONTROL ACTIVITIES Safeguard assets, records, and data When people consider safeguarding assets, they most often think of cash and physical assets, such as inventory and equipment.Another company asset that needs to be protected is data.
57 CONTROL ACTIVITIESThe following independent checks on performance are typically used:Top-level reviewsAnalytical reviewsReconciliation of independently maintained sets of recordsComparison of actual quantities with recorded amountsDouble-entry accountingIndependent review
58 Information and Communication Primary purpose of an AISGatherRecordProcessSummarizeCommunicate
59 Monitoring Perform internal control evaluations (e.g., internal audit) Implement effective supervisionUse responsibility accounting systems (e.g., budgets)Monitor system activitiesTrack purchased software and mobile devicesConduct periodic audits (e.g., external, internal, network security)Employ computer security officerEngage forensic specialistsInstall fraud detection softwareImplement fraud hotline