Control and Accounting Information Systems Chapter 7 Copyright © Pearson Education Limited 2015. 7-1 Learning Objectives • Explain basic control concepts and why computer control and security are important. • Compare and contrast the COBIT, COSO, and ERM control frameworks. • Describe the major elements in the internal environment of a company. • Describe the four types of control objectives that companies need to set. • Describe the events that affect uncertainty and the techniques used to identify them. • Explain how to assess and respond to risk using the Enterprise Risk Management model. • Describe control activities commonly used in companies. • Describe how to communicate information and monitor control processes 7-2 i n o r g a n i z a ti o n s . Why Accounting Information Systems Threats Are Increasing ? P.323 1. Increase in number of information systems means that information is available to an increasing number of workers. 2. Distributed computer networks are harder to control than centralized mainframe systems. 3. Customers and suppliers have access to each other's systems and data Copyright © Pearson Education Limited 2015. 7-3 Why organizations do not adequately protect their data ? (p324) 1. Some companies view the loss of crucial information as a distant, unlikely threat. 2. The control implications of moving from centralized computer systems to Internetbased systems are not fully understood. 3. Many companies do not realize that information is a strategic resource and that protecting it must be a strategic requirement. 4. Productivity and cost pressures motivate management to forgo time-consuming control Copyright © Pearson Education Limited 2015. 7-4 measures Threat or Event : any potential adverse occurrence or unwanted event that could be injurious to either the AIS or the organization. Exposure or Impact : The potential dollar loss should a particular threat Likelihood of the threat : The probability that it will happen Copyright © Pearson Education Limited 2015. 7-5 Overview Internal Controls (p352) Internal Controls : are the processes implemented to provide assurance that the following objectives are achieved : ▫Safeguard assets ▫Maintain sufficient records ▫Provide accurate and reliable information ▫ Prepare financial reports according to established criteria ▫Promote and improve operational efficiency ▫Encourage adherence with management policies ▫Comply with laws and regulations Copyright © Pearson Education Limited 2015. 7-6 Why Control and Security Are Important ? (p324) ▪ One of the primary objectives of an accounting information system is to control a business organization. ▪ One of management’s basic functions is to ensure that enterprise objectives are achieved. Thus management’s decisions pertaining to controls are crucial to the firm’s success in meeting its objectives. Accountants and systems developers help management achieve their control objectives by 1. 2. Designing effective control systems that take a proactive approach to eliminating system threats and that detect, correct, and recover from threats when they occur; Making it easier to build controls into a system at the initial design stage than to add them after the fact Copyright © Pearson Education Limited 2015. 7-7 Functions of Internal Controls (p324) Internal controls perform three important functions • Preventive controls ▫Deter problems before they arise • Detective controls ▫Discover problems that are not prevented • Corrective controls ▫ Identify and correct problems; correct and recover from the problems Copyright © Pearson Education Limited 2015. 7-8 Two categories of Internal Controls (p190) General controls : make sure an organization's control environment is stable and well managed. Examples include security; IT infrastructure; and software acquisition, development, and maintenance controls. Application controls : prevent, detect, and correct transaction errors and fraud in application programs. They are concerned with the accuracy, completeness, validity, and authorization of the data captured, entered, processed, stored, transmitted to other systems, and reported. Copyright © Pearson Education Limited 2015. 7-9 Levers of Control (p326) Four levers of control to help management reconcile the conflict between creativity and controls. Belief system : communicates company core values to employees and inspires them to live by them Boundary system : helps employees act ethically by setting limits on employee behavior. This means encouraging employees to solve problems and meet customer needs within the limits of freedom Diagnostic control system : measures, monitors, and compares actual company progress to budgets and performance goals. Interactive control system : helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions. Copyright © Pearson Education Limited 2015. 7-10 Foreign Corrupt Practices (F C P A) and Sarbanes–Oxley Acts (S O X) (P.325) F C P A is legislation passed (1977) To prevent companies from bribing foreign officials to obtain business Requires all publicly owned corporations to maintain a system of internal accounting controls S O X is legislation passed (2002) that applies to publicly held companies and their auditors to Prevent financial statement fraud Make financial reports transparent Protect investors Strengthen internal controls Punish executives who perpetrate fraud 7-11 Control Frameworks • COBIT ▫Framework for IT control • COSO ▫Framework for enterprise internal controls (control-based approach) • COSO-ERM ▫Expands COSO framework taking a risk-based approach 7-12 COBIT Framework Developed by The Information Systems Audit and Control Foundation (ISACF) . COBIT consolidates control standards from many different sources into a single framework that allows: (1)management to benchmark security and control practices of IT environments. (2)users to be assured that adequate IT security and controls exist. (3)auditors to substantiate their internal control opinions and to advise on IT security and control Copyright © Pearson Education Limited 2015. matters. 7-13 COBIT Framework Based on the following principles: 1. Meeting stakeholder needs : helps users customize 2. business processes and procedures to create an information system. Covering the enterprise end-to-end : integrates all IT functions and processes into companywide functions and processes 3. 4. 5. Applying a single, integrated framework Enabling a holistic approach Separating governance from management : Distinguishes between governance (direct, evaluate, and monitor) and management (plan, build, run, and monitor). Copyright © Pearson Education Limited 2015. 7-14 COBIT5 Separates Governance from Management Copyright © Pearson Education Limited 2015. 7-15 Copyright © Pearson Education Limited 2015. 7-16 Components of COSO Frameworks COSO • Control (internal) environment • Risk assessment • Control activities • Information and communication • Monitoring Copyright © Pearson Education Limited 2015. COSO-ERM • • • • • • • Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication • Monitoring 7-17 Copyright © Pearson Education Limited 2015. Objectives Units COSO’s Enterprise Risk Management Model Copyright © Pearson Education Limited 2015. Internal Environment 1. Management’s philosophy, operating style, and risk appetite 2. Commitment to integrity, ethical values, and competence 3. Internal control oversight by Board of Directors 4. Organizing structure 5. Methods of assigning authority and responsibility 6. Human resource standards that attract, develop, and retain competent individuals 7. External influences. 7-2 0 Objective Setting • Strategic objectives High-level goals, that are aligned with the company's mission • Operations objectives Effectiveness and efficiency of operations • Reporting objectives Improve decision making and monitor performance • Compliance objectives Compliance with applicable laws and regulations Copyright © Pearson Education Limited 2015. 7-21 Event Identification Event - A positive or negative incident or occurrence from internal or external sources that affects the implementation of strategy or the achievement of objectives. An event represents uncertainty; it may or may not occur. If it does occur, it is hard to know when. Until it occurs, it may be difficult to determine its impact. Events may occur individually or concurrently. Management must try to anticipate all possible positive or negative events. Copyright © Pearson Education Limited 2015. 7-22 Risk Assessment Risk is assessed from two perspectives: • Likelihood ▫Probability that the event will occur • Impact ▫Estimate potential loss if event occurs Types of risk • Inherent ▫Risk that exists before plans are made to control it • Residual Copyright © Pearson Education Limited 2015. ▫Risk that is left over after you control it 7-23 Risk Response Management can respond to risk in one of four ways: • Reduce ▫Implement effective internal control • Accept ▫Do nothing, accept likelihood and impact of risk • Share ▫Buy insurance, outsource, or hedge • Avoid ▫Do not engage in the activity Copyright © Pearson Education Limited 2015. 7-20 ESTIMATE LIKELIHOOD AND IMPACT ESTIMATE COSTS AND BENEFITS One way to estimate the value of internal controls involves expected loss : Expected loss = Impact X Likelihood Copyright © Pearson Education Limited 2015. 7-26 Control Activities Control activities are policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out : • Proper authorization of transactions and activities • Segregation of duties • Project development and acquisition controls (C.20-C.22) • Change management controls • Design and use of documents and records • Safeguarding assets, records, and data Copyright © Pearson Education Limited 2015. 7-27 • Independent checks on performance Copyright © Pearson Education Limited 2015. 7-28 Figure 10.5 Segregation of System Duties 7-29 Information and Communication There are three principles that apply to the information and communication process: 1. Obtain or generate relevant, high-quality information to support internal control. 2. Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control. 3. Communicate relevant internal control matters to external parties. 7-30 Monitoring • Perform internal control evaluations (e.g., internal audit) • Implement effective supervision • Use responsibility accounting systems (e.g., budgets) • Monitor system activities • Track purchased software and mobile devices • Conduct periodic audits (e.g., external, internal, network security) • Employ computer security officer and a chief compliance officer • Engage forensic specialists 7-31 • Install fraud detection software Key Terms • • • • • • • • • • • • • • Threat or Event Exposure or impact Likelihood Internal controls Preventive controls Detective controls Corrective controls General controls Application controls Belief system Boundary system Diagnostic control system Interactive control system Audit committee Copyright © Pearson Education Limited 2015. • Foreign Corrupt Practices Act (FCPA) • Sarbanes-Oxley Act (SOX) • Public Company Accounting Oversight Board (PCAOB) • Control Objectives for Information and Related Technology (COBIT) • Committee of Sponsoring Organizations (COSO) • Internal control-integrated framework (IC) • Enterprise Risk Management Integrated Framework (ERM) • Internal environment 7-32 Key Terms (continued) • • • • • • • • • • • • • • Risk appetite Policy and procedures manual Background check Strategic objectives Operations objectives Reporting objectives Compliance objectives Event Inherent risk Residual risk Expected loss Control activities Authorization Digital signature Copyright © Pearson Education Limited 2015. • Specific authorization • General authorization • Segregation of accounting duties • Collusion • Segregation of systems duties • Systems administrator • Network manager • Security management • Change management • Users • Systems analysts • Programmers • Computer operators • Information system library 7-25 Key Terms (continued) • • • • • • • • • • Data control group Steering committee Strategic master plan Project development plan Project milestones Data processing schedule System performance measurements Throughput Utilization Response time Copyright © Pearson Education Limited 2015. • Postimplementation review • Systems integrator • Analytical review • Audit trail • Computer security officer (CSO) • Chief compliance officer (CCO) • Forensic investigators • Computer forensics specialists • Neural networks • Fraud hotline 7-26