ALW AYS LEARNING Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Accounting Information Systems Fourteenth Edition

Chapter 7 Control and Accounting

Information Systems

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Learning Objectives (1 of 2)

• Explain basic control concepts and why computer control

and security are important.

• Compare and contrast the COBIT, COSO, and ERM

control frameworks.

• Describe the major elements in the internal environment of

a company.

• Describe the control objectives that companies need to set

and how to identify events that affect organizational

uncertainty.

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Learning Objectives (2 of 2)

• Explain how to assess and respond to risk using the

Enterprise Risk Management model.

• Describe control activities commonly used in companies.

• Describe how to communicate information and monitor

control processes in organizations.

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Why Is Control Needed?

• Any potential adverse occurrence or unwanted event that

could be injurious to either the accounting information

system or the organization is referred to as a threat or an

event.

• The potential dollar loss should a particular threat become

a reality is referred to as the exposure or impact of the

threat.

• The probability that the threat will happen is the likelihood

associated with the threat.

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

A Primary Objective of an AIS

• Is to control the organization so the organization can

achieve its objectives

• Management expects accountants to:

– Take a proactive approach to eliminating system threats.

– Detect, correct, and recover from threats when they occur.

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Internal Controls

• Processes implemented to provide assurance that the

following objectives are achieved:

– Safeguard assets

– Maintain sufficient records

– Provide accurate and reliable information

– Prepare financial reports according to established criteria

– Promote and improve operational efficiency

– Encourage adherence with management policies

– Comply with laws and regulations

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Functions of Internal Controls

• Preventive controls

– Deter problems from occurring

• Detective controls

– Discover problems that are not prevented

• Corrective controls

– Identify and correct problems; correct and recover from the

problems

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Foreign Corrupt Practices (FCPA) and

Sarbanes–Oxley Acts (SOX)

• FCPA is legislation passed (1977) to

– Prevent companies from bribing foreign officials to obtain business

– Requires all publicly owned corporations to maintain a system of

internal accounting controls.

• SOX is legislation passed (2002) applies to publicly held

companies and their auditors to

– Prevent financial statement fraud

– Financial report transparent

– Protect investors

– Strengthen internal controls

– Punish executives who perpetrate fraud

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Control Frameworks

• COBIT

– Framework for IT control

• COSO

– Framework for enterprise internal controls (control-based

approach)

• COSO-ERM

– Expands COSO framework taking a risk-based approach

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

COBIT Framework

• Current framework version is COBIT5

• Based on the following principles:

– Meeting stakeholder needs

– Covering the enterprise end-to-end

– Applying a single, integrated framework

– Enabling a holistic approach

– Separating governance from management

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

COBIT5 Separates Governance from

Management

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Components of COSO Frameworks

COSO

• Control (internal) environment

• Risk assessment

• Control activities

• Information and communication

• Monitoring

COSO-ERM

• Internal environment

• Objective setting

• Event identification

• Risk assessment

• Risk response

• Control activities

• Information and communication

• Monitoring

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Internal Environment

• Management’s philosophy, operating style, and risk

appetite

• Commitment to integrity, ethical values, and competence

• Internal control oversight by Board of Directors

• Organizing structure

• Methods of assigning authority and responsibility

• Human resource standards

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Objective Setting

• Strategic objectives

– High-level goals

• Operations objectives

– Effectiveness and efficiency of operations

• Reporting objectives

– Improve decision making and monitor performance

• Compliance objectives

– Compliance with applicable laws and regulations

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Event Identification

Identifying incidents both external and internal to the

organization that could affect the achievement of the

organizations objectives

Key Management Questions:

• What could go wrong?

• How can it go wrong?

• What is the potential harm?

• What can be done about it?

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Risk Assessment

Risk is assessed from two perspectives:

• Likelihood

– Probability that the event will occur

• Impact

– Estimate potential loss if event occurs

Types of risk

• Inherent

– Risk that exists before plans are made to control it

• Residual

– Risk that is left over after you control it

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Risk Response

• Reduce

– Implement effective internal control

• Accept

– Do nothing, accept likelihood, and impact of risk

• Share

– Buy insurance, outsource, or hedge

• Avoid

– Do not engage in the activity

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Control Activities

• Proper authorization of transactions and activities

• Segregation of duties

• Project development and acquisition controls

• Change management controls

• Design and use of documents and records

• Safeguarding assets, records, and data

• Independent checks on performance

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Segregation of Accounting Duties

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Segregation of Systems Duties

• Segregation of systems duties as to divide authority and

responsibility between the following systems functions

– System administration

– Network management

– Security management

– Change management

– Users

– Systems analysts

– Programmers

– Computer operators

– Information system librarian

– Data control

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Monitoring

• Perform internal control evaluations (e.g., internal audit)

• Implement effective supervision

• Use responsibility accounting systems (e.g., budgets)

• Monitor system activities

• Track purchased software and mobile devices

• Conduct periodic audits (e.g., external, internal, network

security)

• Employ computer security officer

• Engage forensic specialists

• Install fraud detection software

• Implement fraud hotline

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Key Terms (1 of 3)

• Threat/Event

• Exposure/impact

• Likelihood/risk

• Internal controls

• Preventive controls

• Detective controls

• Corrective controls

• General controls

• Application controls

• Belief system

• Boundary system

• Diagnostic control system

• Interactive control system

• Foreign Corrupt Practices Act (FCPA)

• Sarbanes-Oxley Act (SOX)

• Public Company Accounting

Oversight Board (PCAOB)

• Control Objectives for Information

and Related Technology (COBIT)

• Committee of Sponsoring

Organizations (COSO)

• Internal control-integrated framework

(IC)

• Enterprise Risk Management

Integrated Framework (ERM)

• Internal environment

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Key Terms (2 of 3)

• Risk appetite

• Audit committee

• Policy and procedures manual

• Background check

• Strategic objectives

• Operations objectives

• Reporting objectives

• Compliance objectives

• Event

• Inherent risk

• Residual risk

• Expected loss

• Control activities

• Authorization

• Digital signature

• Specific authorization

• General authorization

• Segregation of accounting duties

• Collusion

• Segregation of systems duties

• Systems administrator

• Network manager

• Security management

• Change management

• Users

• Systems analysts

• Programmers

• Computer operators

• Information system library

Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved

Key Terms (3 of 3)

• Data control group

• Steering committee

• Strategic master plan

• Project development plan

• Project milestones

• Data processing schedule

• System performance measurements

• Throughput

• Utilization

• Response time

• Postimplementation review

• Systems integrator

• Analytical review

• Audit trail

• Computer security officer (CSO)

• Chief compliance officer (CCO)

• Forensic investigators

• Computer forensics specialists

• Neural networks

• Fraud hotline