accounting information systems filecopyright © 2017, 2016, 2015 pearson education, inc. all rights...
TRANSCRIPT
ALW AYS LEARNING Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Accounting Information Systems Fourteenth Edition
Chapter 7 Control and Accounting
Information Systems
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Learning Objectives (1 of 2)
• Explain basic control concepts and why computer control
and security are important.
• Compare and contrast the COBIT, COSO, and ERM
control frameworks.
• Describe the major elements in the internal environment of
a company.
• Describe the control objectives that companies need to set
and how to identify events that affect organizational
uncertainty.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Learning Objectives (2 of 2)
• Explain how to assess and respond to risk using the
Enterprise Risk Management model.
• Describe control activities commonly used in companies.
• Describe how to communicate information and monitor
control processes in organizations.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Why Is Control Needed?
• Any potential adverse occurrence or unwanted event that
could be injurious to either the accounting information
system or the organization is referred to as a threat or an
event.
• The potential dollar loss should a particular threat become
a reality is referred to as the exposure or impact of the
threat.
• The probability that the threat will happen is the likelihood
associated with the threat.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
A Primary Objective of an AIS
• Is to control the organization so the organization can
achieve its objectives
• Management expects accountants to:
– Take a proactive approach to eliminating system threats.
– Detect, correct, and recover from threats when they occur.
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Internal Controls
• Processes implemented to provide assurance that the
following objectives are achieved:
– Safeguard assets
– Maintain sufficient records
– Provide accurate and reliable information
– Prepare financial reports according to established criteria
– Promote and improve operational efficiency
– Encourage adherence with management policies
– Comply with laws and regulations
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Functions of Internal Controls
• Preventive controls
– Deter problems from occurring
• Detective controls
– Discover problems that are not prevented
• Corrective controls
– Identify and correct problems; correct and recover from the
problems
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Foreign Corrupt Practices (FCPA) and
Sarbanes–Oxley Acts (SOX)
• FCPA is legislation passed (1977) to
– Prevent companies from bribing foreign officials to obtain business
– Requires all publicly owned corporations to maintain a system of
internal accounting controls.
• SOX is legislation passed (2002) applies to publicly held
companies and their auditors to
– Prevent financial statement fraud
– Financial report transparent
– Protect investors
– Strengthen internal controls
– Punish executives who perpetrate fraud
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Control Frameworks
• COBIT
– Framework for IT control
• COSO
– Framework for enterprise internal controls (control-based
approach)
• COSO-ERM
– Expands COSO framework taking a risk-based approach
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
COBIT Framework
• Current framework version is COBIT5
• Based on the following principles:
– Meeting stakeholder needs
– Covering the enterprise end-to-end
– Applying a single, integrated framework
– Enabling a holistic approach
– Separating governance from management
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
COBIT5 Separates Governance from
Management
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Components of COSO Frameworks
COSO
• Control (internal) environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
COSO-ERM
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Internal Environment
• Management’s philosophy, operating style, and risk
appetite
• Commitment to integrity, ethical values, and competence
• Internal control oversight by Board of Directors
• Organizing structure
• Methods of assigning authority and responsibility
• Human resource standards
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Objective Setting
• Strategic objectives
– High-level goals
• Operations objectives
– Effectiveness and efficiency of operations
• Reporting objectives
– Improve decision making and monitor performance
• Compliance objectives
– Compliance with applicable laws and regulations
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Event Identification
Identifying incidents both external and internal to the
organization that could affect the achievement of the
organizations objectives
Key Management Questions:
• What could go wrong?
• How can it go wrong?
• What is the potential harm?
• What can be done about it?
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Risk Assessment
Risk is assessed from two perspectives:
• Likelihood
– Probability that the event will occur
• Impact
– Estimate potential loss if event occurs
Types of risk
• Inherent
– Risk that exists before plans are made to control it
• Residual
– Risk that is left over after you control it
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Risk Response
• Reduce
– Implement effective internal control
• Accept
– Do nothing, accept likelihood, and impact of risk
• Share
– Buy insurance, outsource, or hedge
• Avoid
– Do not engage in the activity
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Control Activities
• Proper authorization of transactions and activities
• Segregation of duties
• Project development and acquisition controls
• Change management controls
• Design and use of documents and records
• Safeguarding assets, records, and data
• Independent checks on performance
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Segregation of Accounting Duties
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Segregation of Systems Duties
• Segregation of systems duties as to divide authority and
responsibility between the following systems functions
– System administration
– Network management
– Security management
– Change management
– Users
– Systems analysts
– Programmers
– Computer operators
– Information system librarian
– Data control
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Monitoring
• Perform internal control evaluations (e.g., internal audit)
• Implement effective supervision
• Use responsibility accounting systems (e.g., budgets)
• Monitor system activities
• Track purchased software and mobile devices
• Conduct periodic audits (e.g., external, internal, network
security)
• Employ computer security officer
• Engage forensic specialists
• Install fraud detection software
• Implement fraud hotline
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Key Terms (1 of 3)
• Threat/Event
• Exposure/impact
• Likelihood/risk
• Internal controls
• Preventive controls
• Detective controls
• Corrective controls
• General controls
• Application controls
• Belief system
• Boundary system
• Diagnostic control system
• Interactive control system
• Foreign Corrupt Practices Act (FCPA)
• Sarbanes-Oxley Act (SOX)
• Public Company Accounting
Oversight Board (PCAOB)
• Control Objectives for Information
and Related Technology (COBIT)
• Committee of Sponsoring
Organizations (COSO)
• Internal control-integrated framework
(IC)
• Enterprise Risk Management
Integrated Framework (ERM)
• Internal environment
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Key Terms (2 of 3)
• Risk appetite
• Audit committee
• Policy and procedures manual
• Background check
• Strategic objectives
• Operations objectives
• Reporting objectives
• Compliance objectives
• Event
• Inherent risk
• Residual risk
• Expected loss
• Control activities
• Authorization
• Digital signature
• Specific authorization
• General authorization
• Segregation of accounting duties
• Collusion
• Segregation of systems duties
• Systems administrator
• Network manager
• Security management
• Change management
• Users
• Systems analysts
• Programmers
• Computer operators
• Information system library
Copyright © 2017, 2016, 2015 Pearson Education, Inc. All Rights Reserved
Key Terms (3 of 3)
• Data control group
• Steering committee
• Strategic master plan
• Project development plan
• Project milestones
• Data processing schedule
• System performance measurements
• Throughput
• Utilization
• Response time
• Postimplementation review
• Systems integrator
• Analytical review
• Audit trail
• Computer security officer (CSO)
• Chief compliance officer (CCO)
• Forensic investigators
• Computer forensics specialists
• Neural networks
• Fraud hotline