Chapter 13 Control and Accounting Information Systems Introduction • Control - the process of exercising a restraining or directing influence over the activities of an object, organism, or system – The goal is to prevent losses from the many possible hazards that businesses face. • The accountant’s job is to take a proactive approach to eliminating threats and detect, correct, and recover from threats if they occur. Introduction • Threat - any potential adverse occurrence or unwanted event that could injure either the AIS or the organization • Exposure - the potential dollar loss of a particular threat if that threat occurs • Risk - the likelihood that the threat will actually come to pass Overview of Control Concepts • Historical developments – – – – – – – 1949 - AIA 1958 - SAP No. 29 1972 - SAP NO. 54 1977 - Foreign Corrupt Practices Act 1981 - Research Foundation of the FEI 1988 - SAS No. 55 1992 Committee of Sponsoring Organizations (COSO) Overview of Control Concepts • Internal control - the plan of organization and the methods a business uses to safeguard assets, provide accurate and reliable information, promote and improve operational efficiency, and encourage adherence to prescribed management policies • Management control - designed to reduce errors and irregularities and help employees achieve goals by following policies Overview of Control Concepts • Administrative controls - help ensure operational efficiency and adherence to managerial policies • Accounting controls - safeguard assets and ensure the reliability of accounting records • Internal control structure - policies and procedures established to provide reasonable assurance that objectives will be achieved Overview of Control Concepts • Internal control classifications – – – – Preventive, Detective, and Corrective Feedback and Feedforward General and Application Input, Processing, and Output Internal Control Classifications • Preventive - designed to stop problems before they arise • Detective - designed to find problems if they arise • Corrective - designed to fix problems once they are found – Find the cause of the problems – Correct the results of the problem – Modify the system to keep problem from happening again Internal Control Classifications • Feedback controls - measure a process and correct it when deviations from normal occur • Feedforward controls - monitor a process and inputs to that process and try to predict potential problems Internal Control Classifications • General controls - ensure that the control environment is stable and well managed to enhance the effectiveness of application controls • Application controls - used to prevent, detect, and correct errors and irregularities during processing Internal Control Classifications • Input controls - ensure that only accurate, valid, and authorized data are entered into the system • Processing controls - ensure that all data are processed completely and accurately and all applicable files are updated correctly • Output controls - ensure that output is properly controlled The Foreign Corrupt Practices Act • Passed by Congress in 1977 in response to a bribery scandal – Primary purpose was to prevent the bribery of foreign officials in order to obtain business – Significant effect was to require all publicly traded companies to have a good system of internal controls The Foreign Corrupt Practices Act • Requires all SEC registrants to have a system that provides reasonable assurance that: – Transactions are executed with management’s authorization – Transactions are recorded to permit preparation of financial statements and maintain accountability for assets – Access to assets is permitted only with authorization – Recorded assets are compared to existing assets and action taken with respect to differences Committee on Sponsoring Organizations (COSO) • Defined internal control as the process implemented to provide reasonable assurance that control objectives are achieved with regard to: – Effectiveness and efficiency of operations – Reliability of financial reporting – Compliance with applicable laws and regulations Committee on Sponsoring Organizations (COSO) • Five interrelated components of internal control: – – – – – Control environment Control activities Risk assessment Information and communication Monitoring The Control Environment • Management philosophy and operating style – Employees follow the lead of management. – Assessing management’s philosophy: • Does management take undue risks to achieve objectives? • Does management attempt to manipulate performance measures to make the company look better? • Does management pressure employees to achieve results regardless of the methods required? The Control Environment • Organizational structure - defines the lines of authority and responsibility and provides the overall framework for how things are done • Audit Committee of the Board of Directors composed of entirely outside directors (directors who are not employees of the company) - provides an independent review of management The Control Environment • Methods of assigning authority and responsibility - job descriptions, employee training, and operating plans, schedules, and budgets – Formal code of conduct addresses issues such as ethics, acceptable business practices, and conflicts of interest. – Written policy and procedures manuals spell out exactly what is expected of employees. The Control Environment • Human resources policies and procedures rules for hiring, evaluating, compensating, and promoting employees – Hire and promote employees based on performance. – Background checks on applicants are very important. • External influences - FASB or SEC requirements and government regulations Control Activities • Control activities - rules that provide reasonable assurance that management’s control objectives are achieved. • Five categories: – – – – – Proper authorization of transactions and activities Separation of duties Design and use of adequate documents and records Adequate safeguards over assets and records Independent checks on performance Control Activities • Proper authorization – General authorization - authorize employees to handle routine transactions without explicit approval from management (daily sales) – Specific authorization - require employees to obtain approval for unusual or large transactions (sale in excess of a certain amount, write off of an A/R over a certain amount) Control Activities • Separation of duties - no single employee should have too much responsibility - must separate the authorization, recording and custody of assets involved in a transaction • Documents and records - help to ensure accurate and complete recording of all relevant data about transactions and events – Keep forms simple and include room for authorization Control Activities • Safeguarding of assets - both physical assets and information – – – – – – – Supervise and separate duties Maintain accurate records Restrict physical access to assets Restrict access to certain critical locations Physically protect documents and records Control the environment Restrict access to systems with passwords Control Activities • Independent checks – Reconciliation of two independent sets of records – Comparison of actual quantities to recorded amounts – Double-entry accounting – Batch totals (financial total, hash total, record count, line count, cross-footing balance test) – Independent review for authorization, supporting documentation, and accuracy Risk Assessment • Steps in assessing risk: – Identify threats - natural or manmade – Estimate the risk - likelihood that a threat will happen – Estimate exposure - potential dollar loss – Identify controls - consider effectiveness and timing – Estimate costs and benefits - design to provide reasonable assurance – Determine cost/benefit effectiveness Risk Assessment • Compliance with the Foreign Corrupt Practices Act – Document existing control system – Evaluate the quality of the internal control system - within bounds of reasonable assurance – Evaluate the costs and benefits of instituting controls – Weigh the costs and benefits to determine whether more control is needed Information and Communication • The primary purpose of an AIS is to record, process, store, and communicate information about an organization; therefore, accountants must understand: – – – – – how transactions are initiated how data are captured how computer files are accessed and updated how data are processed to prepare information how information is reported to internal users and external parties Information and Communication • According to the AICPA, an AIS has 5 primary objectives – – – – – Identify and record all valid transactions Properly classify transactions Record transactions at their proper value Record transactions in the proper period Properly present transactions and related disclosures in the financial statements Monitoring Performance • Effective supervision - training and assisting employees, monitoring performance, correcting errors, and safeguarding assets by overseeing employees who have access to them • Responsibility reporting - use of budgets, quotas, standard costs, and investigation of variances Monitoring Performance • Internal auditing - reviewing the reliability of financial and operating information and providing and appraisal of internal control effectiveness – Also involves assessing employee compliance with policies and procedures and applicable laws and regulations and assessing the efficiency and effectiveness of management – Internal audit must be separate from accounting and operating functions of the organization