accounting informaton system ch_07

Accounting Information Systems: Accounting Information Systems: Essential Concepts and ApplicationsEssential Concepts and Applications Fourth Edition by Wilkinson, Cerullo, Raval, and Fourth Edition by Wilkinson, Cerullo, Raval, and Wong-On-WingWong-On-Wing

Chapter 7: Risk Exposures and the Internal Control Structure

Slides Authored by Somnath Bhattacharya, Ph.D.Florida Atlantic University

Internal Control

Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved

These controls encompass all the measures and practices that are used to counteract exposures to risks

The control framework is called the Internal Control Structure

Objectives of the Internal Control Structure

Promoting Effectiveness and Efficiency of Operations

Reliability of Financial ReportingSafeguarding assetsChecking the accuracy and reliability of

accounting dataCompliance with applicable laws and

regulationsEncouraging adherence to prescribed

managerial policies

Components and Major Considerations of the IC Structure

Internal ControlStructure

ControlEnvironment

RiskAssessment

ControlActivities

Information&

CommunicationMonitoring

Activities relatedto FinancialReporting

Activities relatedto Information

Processing

GeneralControls

ApplicationControls

Figure 7-1

Control Environment

The Control Environment establishes the tone of a company, influencing the control consciousness of its employees

It is comprised of seven components:• Management philosophy and operating style• Integrity and ethical values• Commitment to competence• The Board of Directors and the Audit Committee• Organizational Structure• Assignment of authority and responsibility• Human resources policies and practices• External Influences

Management Philosophy and Operating Style Does management emphasize short-term

profits and operating goals over long-term goals?

Is management dominated by one or a few individuals?

What type of business risks does management take and how are these risks managed?

Is management conservative or aggressive toward selecting from available alternative accounting principles?

Figure 7-2

Highlights of CE Components - I

Figure 7-2 Continued

Highlights of CE Components - IIOrganization Structure

Is an up-to-date organization chart prepared, showing the names of key personnel?

Is the information systems functionseparated from incompatible functions?

How is the accounting departmentorganized?

Is the internal audit function separate and distinct from accounting?

Do subordinate managers report to more than one supervisor?

Assignment of Authority and Responsibility Does the company prepare written

employee job descriptions defining specific duties and reporting relationships?

Is written approval required for changes made to information systems?

Does the company clearly delineate employees and managers the boundaries of authority-responsibility relationships?

Does the company properly delegate authority to employees and departments?


Highlights of CE Components - III

Human Resource Policies and Practices Are new personnel indoctrinated with respect to

Internal Controls, Ethics Policies, and Corporate Code of Conduct?

Is the company in compliance with the ADA? The EEOA?

Are Grievance Procedures to manage conflict in force?

Does the company maintain a sound Employee Relations program?

Do employees work in a safe, healthy environment? Are Counseling Programs available to employees? Are proper Separation Programs in force for

employees who leave the firm? Are critical employees Bonded?


Highlights of CE Components - IV

Key Functions Performed by Audit Committees

Establish an Internal Audit DepartmentReview the Scope and Status of AuditsReview Audit Findings with the Board

and ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions

Maintain a direct Line of Communication among the Board, Management, External and Internal Auditors, and periodically arrange Meetings among the parties

Figure 7-3

Key Functions Performed by Audit Committees

Review the Audited Financial Statements with the Internal Auditors and the Board of Directors

Require periodic Quality Reviews of the operations of the Internal Audit Departments to identify areas needing improvement

Supervise special investigations, such as Fraud Investigations

Assess the performance of Financial Management

Require the Review of Compliance with Laws and Regulations and with Corporate Codes of Conduct Figure 7-3

Risk Assessment

Top management must be directly involved in Business Risk Assessment.

This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.

Control Activities - I

Control Activities as related to Financial Reporting may be classified according to their intended uses in a system:• Preventive Controls block adverse events, such as

errors or losses, from occurring • Detective Controls discover the occurrence of

adverse events such as operational inefficiency• Corrective controls are designed to remedy

problems discovered through detective controls • Security Measures are intended to provide adequate

safeguards over access to and use of assets and data records

Control Activities - II

Control Activities relating to Information Processing may also be classified according to where they will be applied within the system• General controls are those controls that pertain

to all activities involving a firm’s AIS and assets• Application controls relate to specific

accounting tasks or transactions

The overall trend seems to be going from specific application controls to more global general controls

Control Activities - IIIPerformance Reviews

Comparing Budgets to Actual Values Relating Different Sets of Data-Operating or

Financial-to one another, together with Analyses of the relationships and Investigative and Corrective Actions

Reviewing Functional Performance such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan approvals and collections

Information & Communication All Transactions entered for processing are Valid

and Authorized All valid transactions are captured and entered for

processing on a Timely Basis and in Sufficient Detail to permit the proper Classification of Transactions

The input data of all entered transactions are Accurate and Complete, with the transactions being expressed in proper Monetary terms

All entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data sets

All required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable Information

All transactions are recorded in the proper Accounting Period

Risk

Business firms face risks that reduce the chances of achieving their control objectives.

Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers.

Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.

Figure 7-4

Some Typical Sources of Risk - IClerical and Operational Employees, who

process transactional data and have access to Assets

Computer Programmers, who have knowledge relating to the Instructions by which transactions are processed

Managers and Accountants, who have access to Records and Financial Reports and often have Authority to Approve Transactions


Some Typical Sources of Risk - IIFormer Employees, who may still understand the

Control Structure and may harbor grudges against the firm

Customers and Suppliers, who generate many of the transactions processed by the firm

Competitors, who may desire to acquire confidential information of the firm

Outside Persons, such as Computer Hackers and Criminals, who have various reasons to access the firm’s data or its assets or to commit destructive acts

Acts of Nature or Accidents, such as floods, fires, and equipment breakdowns

Types of Risks

Unintentional errorsDeliberate Errors (Fraud)Unintentional Losses of AssetsThefts of assetsBreaches of SecurityActs of Violence and Natural

Disasters

Factors that Increase Risk Exposure

Frequency - the more frequent an occurrence of a transaction thegreater the exposure to risk

Vulnerability - liquid and/or portable assets contribute to risk exposure

Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure

Problem Conditions Affecting Risk Exposures

Collusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures

Lack of Enforcement Management may not prosecute wrongdoers because of the potential embarrassment

Computer crime poses very high degreesof risk, and fraudulent activities are difficultto detect

Computer Crime

Computer crime (computer abuse) is the use of a computer to deceive for personal gain.

Due to the proliferation of networks and personal computers, computer crime is expected to significantly increase both in frequency and amount of loss.

It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.

Examples of Computer Crime

Theft of Computer Hardware & Software

Unauthorized Use of Computer Facilities for Personal Use

Fraudulent Modification or Use of Data or Programs

Reasons Why Computers Cause Control Problems

Processing is ConcentratedAudit Trails may be UnderminedHuman Judgment is bypassedData are stored in Device-Oriented rather than

Human-Oriented forms Invisible Data Stored data are Erasable Data are stored in a Compressed form Stored data are relatively accessible

Computer Equipment is Powerful but Complex and Vulnerable

Feasibility of Controls

Audit Considerations Cost-Benefit Considerations

Determine Specific Computer Resources Subject to Control Determine all Potential Threats to the company’s Computer

System Assess the Relevant Risks to which the firm is exposed Measure the Extent of each Relevant Risk exposure in dollar

terms Multiply the Estimated Effect of each Relevant Risk Exposure

by the Estimated Frequency of Occurrence over a Reasonable Period, such as a year

Compute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk Exposure

Compare the Benefits against the Costs of Each Control

Legislation

The Foreign Corrupt Practices Act of 1977Of the Federal Legislation governing the

use of computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986) is perhaps the most important This act makes it a federal crime to

intentionally access a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information

(2) committing a fraud (3) altering or destroying federal information

Methods for Thwarting Computer Abuse

Enlist top-management support so that awareness of computer abuse will filter down through management ranks.

Implement and enforce control procedures. Increase employee awareness in the

seriousness of computer abuse, the amount of costs, and the disruption it creates.

Establish a code of conduct.Be aware of the common characteristics of most

computer abusers.

Methods for Thwarting Computer Abuse Recognize the symptoms of computer abuse

such as: behavioral or lifestyle changes in an employee accounting irregularities such as forged, altered

or destroyed input documents or suspicious accounting adjustments

absent or ignored control procedures the presence of many odd or unusual anomalies

that go unchallenged Encourage ethical behavior

Control Problems Caused by Computerization: Data Collection

Characteristics Characteristics Risk Exposures CompensatingControls

Data recorded inpaper sourcedocuments

Data sometimescaptured withoutuse of sourcedocuments

Audit trail may bepartially lost

Printed copies ofsource documentsprepared bycomputer systems

Data reviewed forerrors by clerks

Data often notsubject to reviewby clerks

Errors, accidentalor deliberate, maybe entered forprocessing

Edit checksperformed bycomputer system

Manual System Computer-based System

Figure 7-6

Control Problems Caused by Computerization: Data Processing



Processing stepsperformed by clerkswho possess judgment

Processing stepsperformed by CPU“blindly” in accordancewith programinstructions

Errors may causeincorrect results ofprocessing

Outputs reviewed byusers of computersystem; carefullydeveloped computerprocessing programs

Processing stepsamong various clerks inseparate departments

Processing stepsconcentrated withincomputer CPU

Unauthorizedmanipulation of dataand theft of assets canoccur on larger scale

Restricted access tocomputer facilities;clear procedure forauthorizing changes toprograms

Processing requires useof journals and ledgers

Processing does notrequire use of journals

Audit trail may bepartially lost

Printed journals andother analyses

Processing performedrelatively slowly

Processing performedvery rapidly

Effects of errors mayspread rapidly throughfiles

Editing of all dataduring input andprocessing steps


Control Problems Caused by Computerization: Data Storage & Retrieval



Data stored in filedrawersthroughout thevariousdepartments

Data compressedon magneticmedia (e.g.,tapes, disks)

Data may beaccessed byunauthorizedpersons or stolen

Security measuresat points of accessand over datalibrary

Data stored onhard copies inhuman- readableform

Data stored ininvisible,eraseable,computer-readableform

Data aretemporarilyunusable byhumans, andmight possibly belost

Data files printedperiodically;backup of files;protection againstsudden powerlosses

Stored dataaccessible on apiece-meal basisat variouslocations

Stored data oftenreadily accessiblefrom variouslocations viaterminals

Data may beaccessed byunauthorizedpersons

Security measuresat points of access


Control Problems Caused by Computerization: Information Generation



Outputsgeneratedlaboriously andusually in smallvolumes

Outputs generatedquickly and neatly,often in largevolumes

Inaccuracies maybe buried inimpressive-lookingoutputs that usersaccept on faith

Reviews by usersof outputs,including thechecking ofamounts

Outputs usually inhard-copy form

Outputs providedin various forms,including soft-copydisplays and voiceresponses

Information storedon magneticmedia is subject tomodification (onlyhard copyprovidespermanent record)

Backup of files;periodic printing ofstored files ontohard-copy records


Control Problems Caused by Computerization: Equipment



Relatively simple,inexpensive, andmobile

Relativelycomplex,expensive, and infixed locations

Businessoperations may beintentionally orunintentionallyinterrupted; dataor hardware maybe destroyed;operations may bedelayed throughinefficiencies

Backup of dataand power supplyand equipment;preventivemaintenance ofequipment;restrictions onaccess tocomputerfacilities;documentation ofequipment usageand processingproceduresFigure 7-6 Continued

Copyright © 2000 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own use only and not for distribution or resale. The publisher assumes no responsibility for errors, omissions, or damages, caused by the use of these programs or from the use of the information contained herein.

Accounting Information Systems: Accounting Information Systems: Essential Concepts and ApplicationsEssential Concepts and Applications Fourth Edition by Wilkinson, Cerullo,Fourth Edition by Wilkinson, Cerullo,Raval, and Wong-On-WingRaval, and Wong-On-Wing

accounting informaton system ch_07

Documents

control consciousness

accounting information

management conservative

operating styledoes

risksthe control framework

accounting department

information systems

operating goals