Add to collection(s) Add to saved
  1. Business
  2. Accounting
  3. Managerial Accounting

Accounting Information Systems: Essential Concepts

Accounting Information Systems:
Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo, Raval,
and Wong-On-Wing
Chapter 7: Risk Exposures
and the Internal Control
Structure
Slides Authored by Somnath Bhattacharya, Ph.D.
Florida Atlantic University
Internal Control
Internal Control is a state that
management strives to achieve to provide
reasonable assurance that the firm’s
objectives will be achieved
These controls encompass all the measures
and practices that are used to counteract
exposures to risks
The control framework is called the
Internal Control Structure
Objectives of the Internal
Control Structure
Promoting Effectiveness and Efficiency of
Operations
Reliability of Financial Reporting
Safeguarding assets
Checking the accuracy and reliability of
accounting data
Compliance with applicable laws and regulations
Encouraging adherence to prescribed
managerial policies
Components and Major
Considerations of the IC Structure
Internal Control
Structure
Control
Environment
Risk
Assessment
Control
Activities
Activities related
to Financial
Reporting
Monitoring
Activities related
to Information
Processing
General
Controls
Figure 7-1
Information
&
Communication
Application
Controls
Control Environment
The Control Environment establishes the
tone of a company, influencing the control
consciousness of its employees
It is comprised of seven components:
•
•
•
•
•
•
•
•
Management philosophy and operating style
Integrity and ethical values
Commitment to competence
The Board of Directors and the Audit Committee
Organizational Structure
Assignment of authority and responsibility
Human resources policies and practices
External Influences
Highlights of CE Components - I
Management Philosophy and Operating
Style
Does management emphasize short-term
profits and operating goals over long-term
goals?
Is management dominated by one or a few
individuals?
What type of business risks does
management take and how are these risks
managed?
Is management conservative or aggressive
toward selecting from available alternative
accounting principles?
Figure 7-2
Highlights of CE Components - II
Organization Structure
Is an up-to-date organization chart prepared,
showing the names of key personnel?
Is the information systems function
separated from incompatible functions?
How is the accounting department
organized?
Is the internal audit function separate and
distinct from accounting?
Do subordinate managers report to more
than one supervisor?
Figure 7-2 Continued
Highlights of CE Components - III
Assignment of Authority and
Responsibility
Does the company prepare written employee
job descriptions defining specific duties and
reporting relationships?
Is written approval required for changes
made to information systems?
Does the company clearly delineate
employees and managers the boundaries of
authority-responsibility relationships?
Does the company properly delegate
authority to employees and departments?
Figure 7-2 Continued
Highlights of CE Components - IV
Human Resource Policies and Practices
Are new personnel indoctrinated with respect to
Internal Controls, Ethics Policies, and Corporate Code
of Conduct?
Is the company in compliance with the ADA? The
EEOA?
Are Grievance Procedures to manage conflict in force?
Does the company maintain a sound Employee
Relations program?
Do employees work in a safe, healthy environment?
Are Counseling Programs available to employees?
Are proper Separation Programs in force for employees
who leave the firm?
Are critical employees Bonded?
Figure 7-2 Continued
Key Functions Performed
by Audit Committees
Establish an Internal Audit Department
Review the Scope and Status of Audits
Review Audit Findings with the Board and
ensure that Management has taken
proper action recommended in the Audit
Report and Letter of Reportable
Conditions
Maintain a direct Line of Communication
among the Board, Management, External
and Internal Auditors, and periodically
arrange Meetings among the parties
Figure 7-3
Key Functions Performed
by Audit Committees
Review the Audited Financial Statements
with the Internal Auditors and the Board
of Directors
Require periodic Quality Reviews of the
operations of the Internal Audit
Departments to identify areas needing
improvement
Supervise special investigations, such as
Fraud Investigations
Assess the performance of Financial
Management
Require the Review of Compliance with
Laws and Regulations and with Corporate
Codes of Conduct
Figure 7-3
Risk Assessment
Top management must be directly
involved in Business Risk Assessment.
This involves the Identification and
Analysis of Relevant Risks that may
prevent the attainment of Company-wide
Objectives and Objectives of
Organizational Units and the formation of
a plan to determine how to manage the
risks.
Control Activities - I
Control Activities as related to Financial
Reporting may be classified according to
their intended uses in a system:
• Preventive Controls block adverse events, such
as errors or losses, from occurring
• Detective Controls discover the occurrence of
adverse events such as operational inefficiency
• Corrective controls are designed to remedy
problems discovered through detective controls
• Security Measures are intended to provide
adequate safeguards over access to and use of
assets and data records
Control Activities - II
Control Activities relating to Information
Processing may also be classified according
to where they will be applied within the
system
• General controls are those controls that pertain
to all activities involving a firm’s AIS and assets
• Application controls relate to specific
accounting tasks or transactions
The overall trend seems to be going from
specific application controls to more global
general controls
Control Activities - III
Performance Reviews
Comparing Budgets to Actual Values
Relating Different Sets of Data-Operating or
Financial-to one another, together with
Analyses of the relationships and
Investigative and Corrective Actions
Reviewing Functional Performance such as a
bank’s consumer loan manager’s review of
reports by branch, region, and loan type for
loan approvals and collections
Information & Communication
 All Transactions entered for processing are Valid and
Authorized
 All valid transactions are captured and entered for
processing on a Timely Basis and in Sufficient Detail to
permit the proper Classification of Transactions
 The input data of all entered transactions are Accurate
and Complete, with the transactions being expressed in
proper Monetary terms
 All entered transactions are processed properly to
update all affected records of Master Files and/or Other
Types of Data sets
 All required Outputs are prepared according to
Appropriate Rules to provide Accurate and Reliable
Information
 All transactions are recorded in the proper Accounting
Period
Risk
Business firms face risks that reduce the
chances of achieving their control objectives.
Risk exposures arise from internal sources,
such as employees, as well as external sources,
such as computer hackers.
Risk assessment consists of identifying
relevant risks, analyzing the extent of exposure
to those risks, and managing risks by proposing
effective control procedures.
Some Typical Sources of Risk - I
Clerical and Operational Employees, who
process transactional data and have
access to Assets
Computer Programmers, who have
knowledge relating to the Instructions
by which transactions are processed
Managers and Accountants, who have
access to Records and Financial Reports
and often have Authority to Approve
Transactions
Figure 7-4
Some Typical Sources of Risk - II
Former Employees, who may still understand
the Control Structure and may harbor grudges
against the firm
Customers and Suppliers, who generate many of
the transactions processed by the firm
Competitors, who may desire to acquire
confidential information of the firm
Outside Persons, such as Computer Hackers and
Criminals, who have various reasons to access
the firm’s data or its assets or to commit
destructive acts
Acts of Nature or Accidents, such as floods,
fires, and equipment breakdowns
Figure 7-4 Continued
Types of Risks
Unintentional errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of assets
Breaches of Security
Acts of Violence and Natural Disasters
Factors that Increase Risk
Exposure
Frequency - the more frequent an
occurrence of a transaction the
greater the exposure to risk
Vulnerability - liquid and/or portable
assets contribute to risk exposure
Size of the potential loss - the higher the
monetary value of a loss, the greater the
risk exposure
Problem Conditions
Affecting Risk Exposures
 Collusion (both internal and external), which is
the cooperation of two or more people for a
fraudulent purpose, is difficult to counteract even
with sound control procedures
 Lack of Enforcement Management may not
prosecute wrongdoers because of the potential
embarrassment
 Computer crime poses very high degrees
of risk, and fraudulent activities are difficult
to detect
Computer Crime
Computer crime (computer abuse) is the
use of a computer to deceive for personal
gain.
Due to the proliferation of networks and
personal computers, computer crime is
expected to significantly increase both in
frequency and amount of loss.
It is speculated that a relatively small
proportion of computer crime gets detected
and an even smaller proportion gets reported.
Examples of Computer
Crime
Theft of Computer Hardware & Software
Unauthorized Use of Computer Facilities
for Personal Use
Fraudulent Modification or Use of Data or
Programs
Reasons Why Computers
Cause Control Problems
Processing is Concentrated
Audit Trails may be Undermined
Human Judgment is bypassed
Data are stored in Device-Oriented rather than
Human-Oriented forms
Invisible Data
Stored data are Erasable
Data are stored in a Compressed form
Stored data are relatively accessible
Computer Equipment is Powerful but Complex
and Vulnerable
Feasibility of Controls
 Audit Considerations
 Cost-Benefit Considerations
Determine Specific Computer Resources Subject to Control
Determine all Potential Threats to the company’s Computer
System
Assess the Relevant Risks to which the firm is exposed
Measure the Extent of each Relevant Risk exposure in dollar
terms
Multiply the Estimated Effect of each Relevant Risk Exposure by
the Estimated Frequency of Occurrence over a Reasonable
Period, such as a year
Compute the Cost of Installing and Maintaining a Control that is
to Counter each Relevant Risk Exposure
Compare the Benefits against the Costs of Each Control
Legislation
The Foreign Corrupt Practices Act of 1977
Of the Federal Legislation governing the use of
computers, The Computer Fraud and Abuse Act
of 1984 (amended in 1986) is perhaps the
most important
This act makes it a federal crime to intentionally
access a computer for such purposes as: (1)
obtaining top-secret military information, personal,
financial or credit information
(2) committing a fraud
(3) altering or destroying federal information
Methods for Thwarting
Computer Abuse
Enlist top-management support so that
awareness of computer abuse will filter down
through management ranks.
Implement and enforce control procedures.
Increase employee awareness in the seriousness
of computer abuse, the amount of costs, and
the disruption it creates.
Establish a code of conduct.
Be aware of the common characteristics of most
computer abusers.
Methods for Thwarting
Computer Abuse
 Recognize the symptoms of computer abuse
such as:
behavioral or lifestyle changes in an employee
accounting irregularities such as forged, altered or
destroyed input documents or suspicious
accounting adjustments
absent or ignored control procedures
the presence of many odd or unusual anomalies
that go unchallenged
 Encourage ethical behavior
Control Problems Caused by
Computerization: Data Collection
Manual System
Computer-based System
Characteristics
Characteristics
Risk Exposures
Compensating
Controls
Data recorded in
paper source
documents
Data sometimes
captured without
use of source
documents
Audit trail may be
partially lost
Printed copies of
source documents
prepared by
computer systems
Data reviewed for Data often not
errors by clerks
subject to review
by clerks
Figure 7-6
Errors, accidental Edit checks
or deliberate, may performed by
be entered for
computer system
processing
Control Problems Caused by
Computerization: Data Processing
Manual System
Characteristics
Computer-based System
Characteristics
Risk Exposures
Compensating
Controls
Processing steps
performed by CPU
“blindly” in accordance
with program
instructions
Processing steps
Processing steps
among various clerks in concentrated within
separate departments
computer CPU
Errors may cause
incorrect results of
processing
Processing requires use Processing does not
of journals and ledgers require use of journals
Audit trail may be
partially lost
Outputs reviewed by
users of computer
system; carefully
developed computer
processing programs
Restricted access to
computer facilities;
clear procedure for
authorizing changes to
programs
Printed journals and
other analyses
Processing performed
relatively slowly
Effects of errors may
spread rapidly through
files
Editing of all data
during input and
processing steps
Processing steps
performed by clerks
who possess judgment
Figure 7-6 Continued
Processing performed
very rapidly
Unauthorized
manipulation of data
and theft of assets can
occur on larger scale
Control Problems Caused by Computerization:
Data Storage & Retrieval
Manual System
Computer-based System
Characteristics
Characteristics
Risk Exposures
Compensating
Controls
Data stored in file
drawers
throughout the
various
departments
Data stored on
hard copies in
human- readable
form
Data compressed
on magnetic
media (e.g.,
tapes, disks)
Data may be
accessed by
unauthorized
persons or stolen
Security measures
at points of access
and over data
library
Data stored in
invisible,
eraseable,
computer-readable
form
Stored data
accessible on a
piece-meal basis
at various
locations
Stored data often
readily accessible
from various
locations via
terminals
Data are
temporarily
unusable by
humans, and
might possibly be
lost
Data may be
accessed by
unauthorized
persons
Data files printed
periodically;
backup of files;
protection against
sudden power
losses
Security measures
at points of access
Figure 7-6 Continued
Control Problems Caused by Computerization:
Information Generation
Manual System
Characteristics
Computer-based System
Characteristics
Outputs
Outputs generated
generated
quickly and neatly,
laboriously and
often in large
usually in small
volumes
volumes
Outputs usually in Outputs provided
hard-copy form
in various forms,
including soft-copy
displays and voice
responses
Figure 7-6 Continued
Risk Exposures
Compensating
Controls
Inaccuracies may
be buried in
impressive-looking
outputs that users
accept on faith
Information stored
on magnetic
media is subject to
modification (only
hard copy
provides
permanent record)
Reviews by users
of outputs,
including the
checking of
amounts
Backup of files;
periodic printing of
stored files onto
hard-copy records
Control Problems Caused by
Computerization: Equipment
Manual System
Computer-based System
Characteristics
Characteristics
Risk Exposures
Compensating
Controls
Relatively simple,
inexpensive, and
mobile
Relatively
complex,
expensive, and in
fixed locations
Business
operations may be
intentionally or
unintentionally
interrupted; data
or hardware may
be destroyed;
operations may be
delayed through
inefficiencies
Backup of data
and power supply
and equipment;
preventive
maintenance of
equipment;
restrictions on
access to
computer
facilities;
documentation of
equipment usage
and processing
procedures
Figure 7-6 Continued
Accounting Information Systems:
Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo,
Raval, and Wong-On-Wing
Copyright © 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.
Related documents
Marketing Plan Rubric
Marketing Plan Rubric
Evolution of an Automated Internal Audit Management System
Evolution of an Automated Internal Audit Management System
Audit Poster - BSG Colonoscopy Audit
Audit Poster - BSG Colonoscopy Audit
system audit - Study Channel
system audit - Study Channel
Big Data As Complementary Audit Evidence
Big Data As Complementary Audit Evidence
Most Important Issues Confronting Colleges
Most Important Issues Confronting Colleges
Lutz Internal Audit Director 10 22 2015
Lutz Internal Audit Director 10 22 2015
Download