Accounting
Information
Systems
9th Edition
Marshall B. Romney
Paul John Steinbart
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-1
Computer-Based
Information Systems
Controls
Chapter 7
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-2
Learning Objectives
1
2
3
Explain the basic concepts of control
as applied to business organizations.
Describe the major elements in the
control environment of a business
organization.
Describe control policies and
procedures commonly used in
business organizations.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-3
Learning Objectives
4
5
Evaluate a system of internal
accounting control, identify its
deficiencies, and prescribe
modifications to remedy those
deficiencies.
Conduct a cost-benefit analysis for
particular threats, exposures, risks,
and controls.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-4
Introduction
Jason Scott has been hired as an
internal auditor for Northwest
Industries, a diversified forest
products company.
 He is assigned to audit Springer’s
Lumber & Supply, Northwest’s
building materials outlet in Montana.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-5
Introduction


His supervisor, Maria Pilier, has asked him
to trace a sample of purchase transactions
to verify that proper control procedures
were followed. Jason becomes frustrated.
Why is Jason frustrated?


The purchasing system is poorly
documented.
He keeps finding transactions that have not
been processed as Ed Yates, the accounts
payable manager, said they should be.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-6
Introduction




Some vendor invoices have been paid
without supporting documents.
Prices charged for some items seem
unusually high.
Management authority is concentrated in the
company president, Joe Springer, and his
sons.
Maria feels that the controller may have
engaged in “creative accounting.”
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-7
Introduction

Jason ponders the following issues:
Should he describe the unusual
transactions in his report?
 Is a violation of proper control
procedures acceptable if it has been
authorized by management?
 Regarding Jason’s assignment, does
he have a professional or ethical
responsibility to get involved?

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-8
Introduction
This chapter discusses the types of
threats a company faces.
 It also presents the five interrelated
components of the Committee of
Sponsoring Organizations (COSO’s)
internal control model.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-9
Threats to Accounting
Information Systems

What are examples of natural and
political disasters?
–
–
–
–
–
fire or excessive heat
floods
earthquakes
high winds
war
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-10
Threats to Accounting
Information Systems

What are examples of software errors
and equipment malfunctions?
–
–
–
hardware failures
power outages and fluctuations
undetected data transmission errors
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-11
Threats to Accounting
Information Systems

What are examples of unintentional
acts?
–
–
–
–
–
accidents caused by human
carelessness
innocent errors of omissions
lost or misplaced data
logic errors
systems that do not meet company
needs
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-12
Threats to Accounting
Information Systems

What are examples of intentional
acts?
–
–
–
sabotage
computer fraud
embezzlement
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-13
Learning Objective 1
Explain the basic concepts of
control as applied to business
organizations.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-14
Overview of Control
Concepts


What is the traditional definition of internal
control?
Internal control is the plan of organization
and the methods a business uses to
safeguard assets, provide accurate and
reliable information, promote and improve
operational efficiency, and encourage
adherence to prescribed managerial
policies.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-15
Overview of Control
Concepts


1
2
3
What is management control?
Management control encompasses the
following three features:
It is an integral part of management
responsibilities.
It is designed to reduce errors,
irregularities, and achieve organizational
goals.
It is personnel-oriented and seeks to help
employees attain company goals.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-16
Internal Control
Classifications

The specific control procedures used in the
internal control and management control
systems may be classified using the
following four internal control classifications:
1
2
3
4
Preventive, detective, and corrective controls
General and application controls
Administrative and accounting controls
Input, processing, and output controls
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-17
The Foreign Corrupt
Practices Act



In 1977, Congress incorporated language
from an AICPA pronouncement into the
Foreign Corrupt Practices Act.
The primary purpose of the act was to
prevent the bribery of foreign officials in
order to obtain business.
A significant effect of the act was to require
corporations to maintain good systems of
internal accounting control.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-18
Committee of Sponsoring
Organizations

The Committee of Sponsoring
Organizations (COSO) is a private sector
group consisting of five organizations:
1
2
3
4
5
American Accounting Association
American Institute of Certified Public
Accountants
Institute of Internal Auditors
Institute of Management Accountants
Financial Executives Institute
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-19
Committee of Sponsoring
Organizations
In 1992, COSO issued the results of a
study to develop a definition of
internal controls and to provide
guidance for evaluating internal
control systems.
 The report has been widely accepted
as the authority on internal controls.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-20
Committee of Sponsoring
Organizations

The COSO study defines internal control
as the process implemented by the
board of directors, management, and
those under their direction to provide
reasonable assurance that control
objectives are achieved with regard to:
–
–
–
effectiveness and efficiency of operations
reliability of financial reporting
compliance with applicable laws and
regulations
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-21
Committee of Sponsoring
Organizations

COSO’s internal control model has
five crucial components:
1
2
3
4
5
Control environment
Control activities
Risk assessment
Information and communication
Monitoring
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-22
Information Systems Audit
and Control Foundation



The Information Systems Audit and Control
Foundation (ISACF) recently developed the
Control Objectives for Information and
related Technology (COBIT).
COBIT consolidates standards from 36
different sources into a single framework.
The framework addresses the issue of
control from three vantage points, or
dimensions:
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-23
Information Systems Audit
and Control Foundation
1
2
3
Information: needs to conform to certain
criteria that COBIT refers to as business
requirements for information
IT resources: people, application systems,
technology, facilities, and data
IT processes: planning and organization,
acquisition and implementation, delivery
and support, and monitoring
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-24
Learning Objective 2
Describe the major
elements in the control
environment of a
business organization.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-25
The Control Environment


The first component of COSO’s internal
control model is the control environment.
The control environment consists of many
factors, including the following:
1
2
3
Commitment to integrity and ethical values
Management’s philosophy and operating
style
Organizational structure
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-26
The Control Environment
4
5
6
7
The audit committee of the board of
directors
Methods of assigning authority and
responsibility
Human resources policies and
practices
External influences
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-27
Learning Objective 3
Describe control
policies and procedures
commonly used in
business organizations.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-28
Control Activities
The second component of COSO’s
internal control model is control
activities.
 Generally, control procedures fall into
one of five categories:

1
2
Proper authorization of transactions
and activities
Segregation of duties
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-29
Control Activities
3
4
5
Design and use of adequate
documents and records
Adequate safeguards of assets and
records
Independent checks on performance
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-30
Proper Authorization of
Transactions and Activities
Authorization is the empowerment
management gives employees to
perform activities and make decisions.
 Digital signature or fingerprint is a
means of signing a document with a
piece of data that cannot be forged.
 Specific authorization is the granting
of authorization by management for
certain activities or transactions.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-31
Segregation of Duties
Good internal control demands that no
single employee be given too much
responsibility.
 An employee should not be in a
position to perpetrate and conceal
fraud or unintentional errors.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-32
Segregation of Duties
Custodial Functions
Handling cash
Handling assets
Writing checks
Receiving checks in mail
Recording Functions
Preparing source documents
Maintaining journals
Preparing reconciliations
Preparing performance reports
Authorization Functions
Authorization of
transactions
Segregation of Duties



If two of these three functions are the
responsibility of a single person, problems
can arise.
Segregation of duties prevents employees
from falsifying records in order to conceal
theft of assets entrusted to them.
Prevent authorization of a fictitious or
inaccurate transaction as a means of
concealing asset thefts.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-34
Segregation of Duties

Segregation of duties prevents an
employee from falsifying records to
cover up an inaccurate or false
transaction that was inappropriately
authorized.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-35
Design and Use of Adequate
Documents and Records
The proper design and use of
documents and records helps ensure
the accurate and complete recording
of all relevant transaction data.
 Documents that initiate a transaction
should contain a space for
authorization.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-36
Design and Use of Adequate
Documents and Records

The following procedures safeguard assets
from theft, unauthorized use, and
vandalism:
–
–
–
–
effectively supervising and segregating
duties
maintaining accurate records of assets,
including information
restricting physical access to cash and paper
assets
having restricted storage areas
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-37
Adequate Safeguards of
Assets and Records

What can be used to safeguard
assets?
–
–
–
–
–
–
cash registers
safes, lockboxes
safety deposit boxes
restricted and fireproof storage areas
controlling the environment
restricted access to computer rooms,
computer files, and information
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-38
Independent Checks
on Performance
Independent checks to ensure that
transactions are processed accurately
are another important control element.
 What are various types of
independent checks?

–
–
reconciliation of two independently
maintained sets of records
comparison of actual quantities with
recorded amounts
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-39
Independent Checks
on Performance
–
–

double-entry accounting
batch totals
Five batch totals are used in computer
systems:
1
2
A financial total is the sum of a dollar
field.
A hash total is the sum of a field that
would usually not be added.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-40
Independent Checks
on Performance
3
4
5
A record count is the number of
documents processed.
A line count is the number of lines of
data entered.
A cross-footing balance test compares
the grand total of all the rows with the
grand total of all the columns to check
that they are equal.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-41
Learning Objective 4
Evaluate a system of
internal accounting
control, identify its
deficiencies, and prescribe
modifications to remedy
those deficiencies.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-42
Risk Assessment


The third component of COSO’s internal
control model is risk assessment.
Companies must identify the threats they
face:
–
–
–
strategic — doing the wrong thing
financial — having financial resources lost,
wasted, or stolen
information — faulty or irrelevant information,
or unreliable systems
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-43
Risk Assessment

Companies that implement electronic
data interchange (EDI) must identify
the threats the system will face, such
as:
1
2
3
4
Choosing an inappropriate technology
Unauthorized system access
Tapping into data transmissions
Loss of data integrity
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-44
Risk Assessment
5
6
7
Incomplete transactions
System failures
Incompatible systems
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-45
Risk Assessment
Some threats pose a greater risk
because the probability of their
occurrence is more likely.
 What is an example?
 A company is more likely to be the
victim of a computer fraud rather than
a terrorist attack.
 Risk and exposure must be
considered together.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-46
Learning Objective 5
Conduct a cost-benefit
analysis for particular
threats, exposures,
risks, and controls.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-47
Estimate Cost and Benefits
No internal control system can provide
foolproof protection against all internal
control threats.
 The cost of a foolproof system would
be prohibitively high.
 One way to calculate benefits involves
calculating expected loss.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-48
Estimate Cost and Benefits

The benefit of a control procedure is
the difference between the expected
loss with the control procedure(s) and
the expected loss without it.
Expected loss = risk × exposure
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-49
Information and
Communication
The fourth component of COSO’s
internal control model is information
and communication.
 Accountants must understand the
following:

1
2
How transactions are initiated
How data are captured in machinereadable form or converted from
source documents
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-50
Information and
Communication
3
4
5
6


How computer files are accessed and
updated
How data are processed to prepare
information
How information is reported
How transactions are initiated
All of these items make it possible for the
system to have an audit trail.
An audit trail exists when individual
company transactions can be traced
through the system.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-51
Monitoring Performance
The fifth component of COSO’s
internal control model is monitoring.
 What are the key methods of
monitoring performance?

–
–
–
effective supervision
responsibility accounting
internal auditing
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-52
Case Conclusion
What happened to Jason’s report?
 A high-level internal audit team was
dispatched to Montana.
 The team discovered that the
problems identified by Jason occurred
almost exclusively in transactions with
three large vendors from whom
Springer’s had purchased several
million dollars of inventory.

©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-53
Case Conclusion



One of the Springers held a significant
ownership interest in each of these three
companies.
They also found evidence that several of
Springer’s employees were paid for more
hours than documented by timekeeping,
and that inventories were overstated.
Northwest settled the case with the
Springers.
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-54
End of Chapter 7
©2003 Prentice Hall Business Publishing,
Accounting Information Systems, 9/e, Romney/Steinbart
7-55