Accounting Information Systems and Internal Controls

Chapter 10
Systems and
Internal Controls
Copyright © 2014 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
Learning Objectives
• LO#1 Explain essential control concepts and why a
code of ethics and internal controls are important.
• LO#2 Explain the objectives and components of the
COSO internal control framework and the COSO
enterprise risk management framework.
• LO#3 Describe the overall COBIT framework and its
implications for IT governance.
• LO#4 Describe other governance frameworks related
to information systems management and security.
Ethics, Sarbanes Oxley Act 2002 and
Corporate Governance
LO# 1
The Need for a Code of Ethics
• Ethical behavior prompted by a code of ethics can be
considered a form of internal control.
• Employees with different culture backgrounds are
likely to have different values
• Many professional associations have developed
codes of ethics to assist professionals in selecting
among decisions that are not clearly right or wrong.
LO# 1
Sarbanes Oxley Act 2002
• SOX requires public companies registered with the
SEC and their auditors to annually assess and report
on the design and effectiveness of internal control
over financial reporting.
• Established the Public Company Accounting
Oversight Board (PCAOB) to provide independent
oversight of public accounting firms.
• PCAOB Auditing Standard No. 5 (AS 5) encourages
auditors to use a risk-based, top-down approach to
identify the key controls.
LO# 1
Corporate Governance
• A set of processes and policies in managing an
organization with sound ethics to safeguard the
interests of its stakeholders.
• Promotes accountability, fairness, and transparency
in the organization’s relationship with its
LO# 1
Overview of Control Concepts
Three main functions of internal control:
• Preventive controls deter problems before they arise.
• Detective controls find problems when they arise. (Bank
reconciliations and monthly trial balances)
• Corrective controls fix problems that have been identified. (Backup
files to recover corrupted data)
Computerized environment:
• General controls pertain to enterprise-wide issues such as controls
over accessing the network, developing and maintaining
applications, documenting changes of programs, etc.
• Application controls are specific to a subsystem or an application to
ensure the validity, completeness and accuracy of the transactions.
Commonly used Internal Control
LO# 2
• The SEC requires management to evaluate internal
controls based on a recognized control framework
• COSO Internal Control framework
-COSO-Committee of Sponsoring Organizations of
the Treadway Commission.
-The COSO Internal Control framework is one of the
most widely accepted authority on internal control,
providing a baseline for evaluating, reporting, and
improving internal control.
Commonly used Internal Control
LO# 2
• COSO 2.0
• COSO ERM framework: focuses on the strategic
alignment of the firm’s mission with its risk appetite.
• Control Objectives for Information and related
Technology (COBIT): a control framework for the
governance and management of enterprise IT.
• Information Technology Infrastructure Library (ITIL): a set
of concepts and practices for IT service management.
• International Organization for Standardization (ISO)
27000 Series: address information security issues.
LO# 2
COSO Internal Control Framework (COSO 2.0)
1. Internal control is a process consisting of ongoing
tasks and activities. It is a means to an end, not an
end in itself.
2. Internal control is affected by people. It is not merely
about policy manuals, systems and forms. Rather, it is
about people at every level of a firm that impact
internal control.
3. Internal control can provide reasonable assurance,
not absolute assurance, to an entity’s management
and board.
4. Internal control is geared toward the achievement of
objectives in one or more separate but overlapping
5. Internal control is adaptable to the entity structure.
LO# 2
COSO Internal Control Framework (COSO 2.0)
Three categories of objectives:
• Operations Objectives – effectiveness and efficiency
of a firm’s operations on financial performance goals
and safeguarding assets
• Reporting Objectives – reliability of reporting,
including internal and external financial and nonfinancial reporting
• Compliance Objectives – adherence to applicable
laws and regulations
LO# 2
COSO 2.0
Five components of internal control:
1. Control Environment
2. Risk Assessment
3. Control Activities
4. Information and Communication
5. Monitoring Activities
COSO Enterprise Risk Management—
Integrated Framework
LO# 2
LO# 2
COSO Enterprise Risk Management—
Integrated Framework
Four categories of objectives:
• Strategic — high-level goals, aligned with and
supporting the firm’s mission and vision
• Operations — effectiveness and efficiency of
• Reporting — reliability of internal and external
• Compliance — compliance with applicable laws and
COSO Enterprise Risk Management—
Integrated Framework
LO# 2
Eight components of internal control:
Internal Environment
Objective Setting
Event Identification
Risk Assessment
Risk Response
Control Activities
Information and Communication
LO# 2
Risk Assessment and Risk Response
• Inherent risk : It exists already before management takes any
actions to address it.
• Control risk : the threat that errors or irregularities in the
underlying transactions will not be prevented, detected and
corrected by the internal control system.
• Residual risk: the product of inherent risk and control risk
(1) Reduce risks by designing effective business processes and
implementing internal controls.
(2) Share risks by outsourcing business processes, buying insurance, or
entering into hedging transactions.
(3) Avoid risks by not engaging in the activities that would produce the
(4) Accept risk by relying on natural offsets of the risk within a
portfolio, or allowing the likelihood and impact of the risk.
LO# 2
Risk Assessment and Risk Response
• Cost and benefit analysis is important in determining
whether to implement an internal control.
• The benefits of an internal control should exceed its
• One way to measure the benefits of a control is using
the estimated impact of a risk times the decreased
likelihood if the control is implemented.
• Expected benefit of an internal control = Impact X
Decreased Likelihood
LO# 2
Control Activities
• Physical Controls: mainly manual but could involve
the physical use of computing technology.
• IT controls: processes that provide assurance for
information and help to mitigate risks associated
with the use of technology.
• -- IT general controls (ITGC)
• -- IT application controls
LO# 3
COBIT Framework
• COBIT (Control Objectives for Information and
related Technology) is a generally accepted
framework for IT governance and management.
• Governance:
firm objectives: evaluating stakeholder needs
setting direction through decision making
monitoring performance, compliance and progress
• Management:
activities: planning, building, running and
LO# 3
COBIT Framework
• Provides a business focus to align business and IT
• Defines the scope and ownership of IT process and control;
• Is consistent with accepted IT good practices and
• Provides a common language with a set of terms and
definitions that are generally understandable by all
stakeholders; and
• Meets regulatory requirements by being consistent with
generally accepted corporate governance standards (e.g.,
COSO) and IT controls expected by regulators and auditors.
Information Technology Infrastructure
Library (ITIL)
LO# 4
• A de facto standard in Europe for the best practices
in IT infrastructure management and service delivery.
• ITIL’s value proposition centers on providing IT
service with an understanding the business
objectives and priorities, and the role that IT services
has in achieving the objectives.
• ITIL adopts a lifecycle approach to IT services, and
organizes IT service management into five high-level
International Organization for
Standardization (ISO) 27000 Series
LO# 4
• The ISO 27000 series of standards are designed to
address information security issues.
• ISO 27000 series, particularly ISO 27001 and ISO
27002, have become the most recognized and
generally accepted sets of information security
framework and guidelines.
• The main objective of the ISO 27000 series is to
provide a model for establishing, implementing,
operating, monitoring, maintaining, and improving
an Information Security Management System (ISMS).