Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 315 C HAPTER 6 Control and Accounting Information Systems.

Published byMartina Washington Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 315 C HAPTER 6 Control and Accounting Information Systems."— Presentation transcript:

1 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 315 C HAPTER 6 Control and Accounting Information Systems

2 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart2 of 315 INTRODUCTION Questions to be addressed in this chapter: –What are the basic internal control concepts, and why are computer control and security important? –What is the difference between the COBIT, COSO, and ERM control frameworks? –What are the major elements in the internal environment of a company? –What are the four types of control objectives that companies need to set? –What events affect uncertainty, and how can they be identified? –How is the Enterprise Risk Management model used to assess and respond to risk? –What control activities are commonly used in companies? –How do organizations communicate information and monitor control processes?

3 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart3 of 315 INTRODUCTION Some vocabulary terms for this chapter: –A threat is any potential adverse occurrence or unwanted event that could injure the AIS or the organization. –The exposure or impact of the threat is the potential dollar loss that would occur if the threat becomes a reality. –The likelihood is the probability that the threat will occur.

4 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart4 of 315 OVERVIEW OF CONTROL CONCEPTS Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved: –Assets (including data) are safeguarded. –Records are maintained in sufficient detail to accurately and fairly reflect company assets. –Accurate and reliable information is provided. –There is reasonable assurance that financial reports are prepared in accordance with GAAP. –Operational efficiency is promoted and improved. –Adherence to prescribed managerial policies is encouraged. –The organization complies with applicable laws and regulations.

5 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart5 of 315 OVERVIEW OF CONTROL CONCEPTS Internal controls perform three important functions: –Preventive controls –Detective controls –Corrective controls Remedy problems that have occurred by: –Identifying the cause; –Correcting the resulting errors; and –Modifying the system to prevent future problems of this sort.

6 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart6 of 315 OVERVIEW OF CONTROL CONCEPTS An effective system of internal controls should exist in all organizations to: –Help them achieve their missions and goals. –Minimize surprises.

7 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart7 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT In 1977, Congress passed the Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement. The primary purpose of the act was to prevent the bribery of foreign officials to obtain business. A significant effect was to require that corporations maintain good systems of internal accounting control. –Generated significant interest among management, accountants, and auditors in designing and evaluating internal control systems. –The resulting internal control improvements weren’t sufficient.

8 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart8 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines. –The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX). Applies to publicly held companies and their auditors.

9 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart9 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT The intent of SOX is to: –Prevent financial statement fraud –Make financial reports more transparent –Protect investors –Strengthen internal controls in publicly-held companies –Punish executives who perpetrate fraud SOX has had a material impact on the way boards of directors, management, and accountants operate.

10 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart10 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT Important aspects of SOX include: –Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession. –New rules for auditors –New rules for audit committees –New rules for management –New internal control requirements SOX also requires that the auditor attests to and reports on management’s internal control assessment. Each audit report must describe the scope of the auditor’s internal control tests.

11 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart11 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT After the passage of SOX, the SEC further mandated that: –Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter. –The report must contain a statement identifying the framework used. –Management must disclose any and all material internal control weaknesses. –Management cannot conclude that the company has effective internal control if there are any material weaknesses.

12 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart12 of 315 SOX AND THE FOREIGN CORRUPT PRACTICES ACT Levers of Control –Many people feel there is a basic conflict between creativity and controls. –Robert Simons has espoused four levers of controls to help companies reconcile this conflict: A concise belief system A boundary system A diagnostic control system An interactive control system

13 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart13 of 315 CONTROL FRAMEWORKS A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are: –The COBIT framework –The COSO internal control framework –COSO’s Enterprise Risk Management framework (ERM)

14 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart14 of 315 CONTROL FRAMEWORKS COSO’s internal control framework –The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of: The American Accounting Association The AICPA The Institute of Internal Auditors The Institute of Management Accountants The Financial Executives Institute

15 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart15 of 315 CONTROL FRAMEWORKS In 1992, COSO issued the Internal Control Integrated Framework: –Defines internal controls. –Provides guidance for evaluating and enhancing internal control systems. –Widely accepted as the authority on internal controls. –Incorporated into policies, rules, and regulations used to control business activities.

16 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart16 of 315 CONTROL FRAMEWORKS COSO’s internal control model has five crucial components: -Control environment -Control activities -Risk assessment -Information and communication -Monitoring The entire process must be monitored and modified as necessary.

17 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart17 of 315 CONTROL FRAMEWORKS Nine years after COSO issued the preceding framework, it began investigating how to effectively identify, assess, and manage risk so organizations could improve the risk management process. Result: Enterprise Risk Manage Integrated Framework (ERM) –An enhanced corporate governance document. –Expands on elements of preceding framework. –Provides a focus on the broader subject of enterprise risk management.

18 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart18 of 315 CONTROL FRAMEWORKS Basic principles behind ERM: –Companies are formed to create value for owners. –Management must decide how much uncertainty they will accept. –Uncertainty can result in: Risk Opportunity

19 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart19 of 315 CONTROL FRAMEWORKS These issues led to COSO’s development of the ERM framework. –Takes a risk-based, rather than controls-based, approach to the organization. –Oriented toward future and constant change. –Incorporates rather than replaces COSO’s internal control framework and contains three additional elements: Setting objectives. Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives. Developing a response to assessed risk.

20 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart20 of 315 CONTROL FRAMEWORKS Columns at the top represent the four types of objectives that management must meet to achieve company goals. –Strategic objectives –Operations objectives –Reporting objectives –Compliance objectives

21 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart21 of 315 CONTROL FRAMEWORKS Columns on the right represent the company’s units: –Entire company –Division –Business unit –Subsidiary

22 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart22 of 315 INTERNAL ENVIRONMENT The most critical component of the ERM and the internal control framework. Is the foundation on which the other seven components rest. Influences how organizations: –Establish strategies and objectives –Structure business activities –Identify, access, and respond to risk A deficient internal control environment often results in risk management and control breakdowns.

23 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart23 of 315 INTERNAL ENVIRONMENT Internal environment consists of the following: –Management’s philosophy, operating style, and risk appetite –The board of directors –Commitment to integrity, ethical values, and competence –Organizational structure –Methods of assigning authority and responsibility –Human resource standards –External influences

24 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart24 of 315 OBJECTIVE SETTING Objective setting is the second ERM component. It must precede many of the other six components. For example, you must set objectives before you can define events that affect your ability to achieve objectives

25 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart25 of 315 OBJECTIVE SETTING Objectives set at the corporate level are linked to and integrated with a cascading series of sub-objectives in the various sub- units. For each set of objectives: –Critical success factors (what has to go right) must be defined. –Performance measures should be established to determine whether the objectives are met.

26 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart26 of 315 OBJECTIVE SETTING Objective-setting process proceeds as follows: –First, set strategic objectives, the high-level goals that support the company’s mission and create value for shareholders. –To meet these objectives, identify alternative ways of accomplishing them. –For each alternative, identify and assess risks and implications. –Formulate a corporate strategy. –Then set operations, compliance, and reporting objectives.

27 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart27 of 315 EVENT IDENTIFICATION Events are: –Incidents or occurrences that emanate from internal or external sources. –That affect implementation of strategy or achievement of objectives. –Impact can be positive, negative, or both. –Events can range from obvious to obscure. –Effects can range from inconsequential to highly significant.

28 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart28 of 315 EVENT IDENTIFICATION Management must do its best to anticipate all possible events—positive or negative—that might affect the company: –Try to determine which are most and least likely. –Understand the interrelationships of events. COSO identified many internal and external factors that could influence events and affect a company’s ability to implement strategy and achieve objectives.

29 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart29 of 315 EVENT IDENTIFICATION Some of these factors include: –External factors: Economic factors Natural environment Political factors Social factors Technological factors New e-business technologies that lower infrastructure costs or increase demand for IT- based services Emerging technology Increased or decreased availability of data Interruptions or down time caused by external parties

30 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart30 of 315 EVENT IDENTIFICATION Some of these factors include: –Internal factors: Infrastructure Personnel Process Technology Insufficient capacity to handle peak IT usages Security breaches Data or system unavailability from internal factors Inadequate data integrity Poor systems selection/development Inadequately maintained systems

31 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart31 of 315 EVENT IDENTIFICATION Companies usually use two or more of the following techniques together to identify events: –Use comprehensive lists of potential events –Perform an internal analysis –Monitor leading events and trigger points –Conduct workshops and interviews –Perform data mining and analysis –Analyze processes

32 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart32 of 315 RISK ASSESSMENT AND RISK RESPONSE The fourth and fifth components of COSO’s ERM model are risk assessment and risk response. COSO indicates there are two types of risk: –Inherent risk –Residual risk

33 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart33 of 315 RISK ASSESSMENT AND RISK RESPONSE Companies should: –Assess inherent risk –Develop a response –Then assess residual risk The ERM model indicates four ways to respond to risk: –Reduce it –Accept it –Share it –Avoid it

34 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart34 of 315 RISK ASSESSMENT AND RISK RESPONSE The benefits of an internal control procedure must exceed its costs. Benefits can be hard to quantify, but include: –Increased sales and productivity –Reduced losses –Better integration with customers and suppliers –Increased customer loyalty –Competitive advantages –Lower insurance premiums Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No

35 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart35 of 315 RISK ASSESSMENT AND RISK RESPONSE Costs are usually easier to measure than benefits. Primary cost is personnel, including: –Time to perform control procedures –Costs of hiring additional employees to effectively segregate duties –Costs of programming controls into a system Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No

36 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart36 of 315 RISK ASSESSMENT AND RISK RESPONSE Other costs of a poor control system include: –Lost sales –Lower productivity –Drop in stock price if security problems arise –Shareholder or regulator lawsuits –Fines and penalties imposed by governmental agencies Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No

37 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart37 of 315 RISK ASSESSMENT AND RISK RESPONSE The expected loss related to a risk is measured as: –Expected loss = impact x likelihood The value of a control procedure is the difference between: –Expected loss with control procedure –Expected loss without it Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficial to protect system Avoid, share, or accept risk Yes No

38 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart38 of 315 RISK ASSESSMENT AND RISK RESPONSE Let’s go through an example: –Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft. –A catastrophic theft could result in losses of $800,000. –Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%. –Companies with motion detectors only have about a.5% probability of catastrophic theft. –The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000. –Should Hobby Hole install the motion detectors? Expected Loss without control procedure = $800,000 x.12 = $96,000. Expected loss with control procedure = $800,000 x.005 = $4,000. Estimated value of control procedure = $96,000 - $4,000 = $92,000. Estimated cost of control procedure = $43,000 (given). Benefits exceed costs by $92,000 - $43,000 = $49,000. In this case, Hobby Hole should probably install the motion detectors.

39 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart39 of 315 RISK ASSESSMENT AND RISK RESPONSE Risks that are not reduced must be accepted, shared, or avoided. –If the risk is within the company’s risk tolerance, they will typically accept the risk. –A reduce or share response is used to bring residual risk into an acceptable risk tolerance range. –An avoid response is typically only used when there is no way to cost- effectively bring risk into an acceptable risk tolerance range. Identify the events or threats that confront the company Estimate the likelihood or probability of each event occurring Estimate the impact of potential loss from each threat Identify set of controls to guard against threat Estimate costs and benefits from instituting controls Reduce risk by implementing set of controls to guard against threat Is it cost- beneficia l to protect system Avoid, share, or accept risk Yes No

40 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart40 of 315 CONTROL ACTIVITIES The sixth component of COSO’s ERM model. Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.

41 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart41 of 315 CONTROL ACTIVITIES It is management’s responsibility to develop a secure and adequately controlled system. –Controls are much more effective when built in on the front end. –Consequently, systems analysts, designers, and end users should be involved in designing adequate computer-based control systems. Management must also establish a set of procedures to ensure control compliance and enforcement. –Usually, the purview of the information security officer and the operations staff.

42 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart42 of 315 CONTROL ACTIVITIES Generally, control procedures fall into one of the following categories: –Proper authorization of transactions and activities –Segregation of duties –Project development and acquisition controls –Change management controls –Design and use of documents and records –Safeguard assets, records, and data –Independent checks on performance

43 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart43 of 315 INFORMATION AND COMMUNICATION The seventh component of COSO’s ERM model. The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization. So accountants must understand how: –Transactions are initiated –Data are captured in or converted to machine-readable form –Computer files are accessed and updated –Data are processed –Information is reported to internal and external parties

44 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart44 of 315 INFORMATION AND COMMUNICATION According to the AICPA, an AIS has five primary objectives: –Identify and record all valid transactions. –Properly classify transactions. –Record transactions at their proper monetary value. –Record transactions in the proper accounting period. –Properly present transactions and related disclosures in the financial statements.

45 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart45 of 315 MONITORING Key methods of monitoring performance include: –Perform ERM evaluation –Implement effective supervision –Use responsibility accounting –Monitor system activities –Track purchased software –Conduct periodic audits –Employ a computer security officer, a Chief Compliance Officer, and computer consultants –Engage forensic specialists –Install fraud detection software –Implement a fraud hotline

46 © 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart46 of 315 SUMMARY In this chapter, you’ve learned about basic internal control concepts and why computer control and security are so important. You’ve learned about the similarities and differences between the COBIT, COSO, and ERM control frameworks. You’ve learned about the major elements in the internal control environment of a company and the four types of control objectives that companies need to set. You’ve also learned about events that affect uncertainty and how these events can be identified. You’ve explored how the Enterprise Risk Management model is used to assess and respond to risk, as well as the control activities that are commonly used in companies. Finally, you’ve learned how organizations communicate information and monitor control processes.

Download ppt "© 2008 Prentice Hall Business Publishing Accounting Information Systems, 11/e Romney/Steinbart1 of 315 C HAPTER 6 Control and Accounting Information Systems."

Similar presentations

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.

Bodnar/Hopwood AIS 7th Ed1 Chapter 5 u TRANSACTION PROCESSING AND INTERNAL CONTROL PROCESS.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Auditing Concepts.

Auditing Concepts.
Auditing Computer Systems

Auditing Computer Systems
The Islamic University of Gaza

The Islamic University of Gaza
Control and Accounting Information Systems

Control and Accounting Information Systems
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.

Standar Pekerjaan Lapangan: Pemahaman Memadai atas Pengendalian Intern Pertemuan 5.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Auditing A Risk-Based Approach To Conducting A Quality Audit

Auditing A Risk-Based Approach To Conducting A Quality Audit
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control environment and control activities. Day II Session III and IV.

Control environment and control activities. Day II Session III and IV.

Similar presentations

Ads by Google