control & accounting information system - aalto
TRANSCRIPT
![Page 1: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/1.jpg)
Control & Accounting Information Systemby Vikash Sinha
![Page 2: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/2.jpg)
I
Internal
Control
II
Internal Control
Frameworks
iCOBIT
iiCOSO IC
iiiCOSO ERM
III
Information security
and control
![Page 3: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/3.jpg)
I. Internal Control
![Page 4: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/4.jpg)
© Vikash Sinha, 201919.11.2019
4
Why is control needed?
![Page 5: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/5.jpg)
© Vikash Sinha, 2019
THREATS
5
![Page 6: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/6.jpg)
© Vikash Sinha, 201919.11.2019
6
What are internal controls?
![Page 7: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/7.jpg)
© Vikash Sinha, 2019
Internal controls
Processes implemented to provide assurance that the following objectives are achieved:
7
Comply with laws and
regulations
Encourage adherence to management policies
Safeguard assetsMaintain sufficient
records
Provide accurate and reliable information
Prepare financial reports according
to established criteria
Promote and improve
operational efficiency
![Page 8: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/8.jpg)
© Vikash Sinha, 2019
Foreign Corrupt Practices (FCPA) and Sarbanes–Oxley Acts (SOX)
8
FCPA is legislation passed (1977) to
• Prevent companies from bribing foreign officials to obtain business
• Requires all publicly owned corporations to maintain a system of internal accounting controls.
SOX is legislation passed (2002) applies to publicly held
companies and their auditors to
• Prevent financial statement fraud
• Financial report transparent
• Protect investors
• Strengthen internal controls
• Punish executives who perpetrate fraud
![Page 9: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/9.jpg)
© Vikash Sinha, 2019
Function of internal controls
Preventive controls
Deter problems from occurring
Detective controls
Discover problems that are not prevented
Corrective controls
Identify and correct problems; correct and recover from
the problems
9
![Page 10: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/10.jpg)
© Vikash Sinha, 2019
Three lines of defense
10
Board of Directors
Owners
Chief Executive
Officer
Chief Risk Officer
Chief Internal Audit Officer
Audit Committee
Compensation and Nomination Committee
OwnersOwners
Operations Risk Management Internal Audit
Exte
rnal A
ud
it
![Page 11: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/11.jpg)
II. Internal Control Frameworks
![Page 12: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/12.jpg)
© Vikash Sinha, 201919.11.2019
12
What are the important control frameworks?
![Page 13: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/13.jpg)
© Vikash Sinha, 2019
Different control frameworks
Control Objectives for Information and Related Technologies
(COBIT) by Information Systems Audit and Control Association
(ISACA)
• Framework for IT control
Committee of Sponsoring Organizations of the Treadway
Commission (COSO) Internal Control (IC) Framework
• Framework for enterprise internal controls (control-based approach)
COSO Enterprise Risk Management Framework
• Expands COSO framework taking a risk-based approach
13
![Page 14: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/14.jpg)
II.i COBIT
![Page 15: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/15.jpg)
© Vikash Sinha, 2019
Historical evolution of COBIT
15
Governance of Enterprise IT
COBIT 5
IT Governance
COBIT4.0/4.1
Management
COBIT3
Control
COBIT2
Audit
COBIT1
2005/720001998
Evolu
tion o
f scope
1996 2012
Val IT 2.0(2008)
Risk IT(2009)
A f
ram
ew
ork
fro
m I
SA
CA
, a
t
ww
w.isa
ca
.org
/co
bit
![Page 16: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/16.jpg)
© Vikash Sinha, 2019 16
![Page 17: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/17.jpg)
© Vikash Sinha, 2019
Five principles of COBIT 5
Meeting Stakeholder Needs
Covering the Enterprise End-to-end
Applying a Single Integrated Framework
Enabling a Holistic Approach
Separating Governance From Management
17
![Page 18: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/18.jpg)
© Vikash Sinha, 2019
Meeting stakeholder needs
18
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 19: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/19.jpg)
© Vikash Sinha, 2019
Meeting stakeholder needs
Enterprises have many stakeholders, and ‘creating value’ means
different—and sometimes conflicting—things to each of them.
Governance is about negotiating and deciding amongst different
stakeholders’ value interests.
The governance system should consider all stakeholders when making
benefit, resource and risk assessment decisions.
For each decision, the following can and should be asked:
- Who receives the benefits?
- Who bears the risk?
- What resources are required?
19
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 20: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/20.jpg)
© Vikash Sinha, 2019
Meeting stakeholder needs
20
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 21: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/21.jpg)
© Vikash Sinha, 2019
Covering the enterprise end-to-end
21
Key
components of
a governance
system
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 22: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/22.jpg)
© Vikash Sinha, 2019
Applying a single integrated framework
COBIT 5 aligns with the latest relevant other standards and
frameworks used by enterprises:
Enterprise: COSO, COSO ERM, ISO/IEC 9000 (quality
management system), ISO/IEC 31000 (risk management)
IT-related: ISO/IEC 38500 (IT governance), ITIL, ISO/IEC 27000
series (information security related), TOGAF, PMBOK/PRINCE2,
CMMI
22
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
PMBOK: Project Management Body of Knowledge
CMMI: Capability Maturity Model Integration
ITIL: Information Technology Infrastructure Library
TOGAF: The Open Group Architecture Framework
PRINCE: PRojects IN Controlled Environments
![Page 23: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/23.jpg)
© Vikash Sinha, 2019
Enabling a holistic approach
23
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 24: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/24.jpg)
© Vikash Sinha, 2019
Enabling a holistic approach
24
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 25: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/25.jpg)
© Vikash Sinha, 2019
Separating governance from management Governance—In most enterprises, governance is the responsibility of the
board of directors under the leadership of the chairperson.
Governance ensures that stakeholders needs, conditions and options are
evaluated to determine balanced, agreed-on enterprise objectives to be
achieved; setting direction through prioritisation and decision making; and
monitoring performance and compliance against agreed-on direction and
objectives (EDM).
Management—In most enterprises, management is the responsibility of
the executive management under the leadership of the CEO.
Management plans, builds, runs and monitors activities in alignment with the
direction set by the governance body to achieve the enterprise objectives
(PBRM).
25
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
![Page 26: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/26.jpg)
© Vikash Sinha, 2019
Separating governance from management
26
Source: COBIT® 5, f igure 3. © 2012 ISACA® All rights reserved.
AP
O: A
lign, p
lan, and
org
aniz
e
BA
I: B
uild
, acq
uire
, and
im
ple
me
nt
DS
S: D
eliv
er, s
erv
ice
, and
sup
po
rtM
EA
: M
onito
r, e
valu
ate
, and
asse
ss
![Page 27: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/27.jpg)
© Vikash Sinha, 2019 27
![Page 28: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/28.jpg)
II.ii COSO IC
![Page 29: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/29.jpg)
© Vikash Sinha, 2019
Internal control framework COSO 1992
29
Committee of
Sponsoring
Organizations of the
Treadway Commission
(COSO)
![Page 30: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/30.jpg)
II.iii COSO ERM
![Page 31: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/31.jpg)
© Vikash Sinha, 2019
Risk management framework COSO 2004
31
Committee of
Sponsoring
Organizations of the
Treadway Commission
(COSO)
![Page 32: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/32.jpg)
© Vikash Sinha, 2019
Components of COSO framework
32
COSO COSO-ERM
• Control (internal) environment
• Risk assessment
• Control activities
• Information and communication
• Monitoring
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring
![Page 33: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/33.jpg)
© Vikash Sinha, 2019
Internal environment
Management’s philosophy, operating style, and risk appetite
Commitment to integrity, ethical values, and competence
Internal control oversight by Board of Directors
Organizing structure
Methods of assigning authority and responsibility
Human resource standards
33
![Page 34: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/34.jpg)
© Vikash Sinha, 2019
Objective setting
• High-level goalsStrategic
objectives
• Effectiveness and efficiency of operationsOperations objectives
• Improve decision making and monitor performance
Reporting objectives
• Compliance with applicable laws and regulations
Compliance objectives
34
![Page 35: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/35.jpg)
© Vikash Sinha, 2019
Event identification
Identifying incidents both external and internal to the organization
that could affect the achievement of the organizations objectives
Key Management Questions:
What could go wrong?
How can it go wrong?
What is the potential harm?
What can be done about it?
35
![Page 36: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/36.jpg)
© Vikash Sinha, 2019
Risk assessment
Likelihood
• Probability that the event will occur
Impact
• Estimate potential loss if event occurs
36
Inherent• Risk that exists before plans
are made to control it
Residual• Risk that is left over after you
control it
Types of risk
Risk is assessed from two
perspectives:
![Page 37: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/37.jpg)
© Vikash Sinha, 2019
Risk response
• Implement effective internal controlReduce
• Do nothing, accept likelihood, and impact of riskAccept
• Buy insurance, outsource, or hedgeShare
• Do not engage in the activityAvoid
37
![Page 38: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/38.jpg)
© Vikash Sinha, 2019
Control activities
Proper authorization of transactions and activities
Segregation of duties
Project development and acquisition controls
Change management controls
Design and use of documents and records
Safeguarding assets, records, and data
Independent checks on performance
38
![Page 39: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/39.jpg)
© Vikash Sinha, 2019
Information and communication
39
Seg
reg
ati
on
of
acco
un
tin
g d
uti
es
![Page 40: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/40.jpg)
© Vikash Sinha, 2019
Information and communication
Segregation of systems duties as to divide authority and responsibility
between the following systems functions
• System administration
• Network management
• Security management
• Change management
• Users
• Systems analysts
• Programmers
• Computer operators
• Information system librarian
• Data control
40
![Page 41: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/41.jpg)
© Vikash Sinha, 2019
Monitoring
Perform internal control evaluations (e.g., internal audit)
Implement effective supervision
Use responsibility accounting systems (e.g., budgets)
Monitor system activities
Track purchased software and mobile devices
Conduct periodic audits (e.g., external, internal, network security)
Employ computer security officer
Engage forensic specialists
Install fraud detection software
Implement fraud hotline
41
![Page 42: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/42.jpg)
III. Information security and control
![Page 43: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/43.jpg)
© Vikash Sinha, 2019
Trust services framework
Security
• Access to the system and data is controlled and
restricted to legitimate users.
Confidentiality• Sensitive organizational data is protected.
Privacy
• Personal information about trading partners,
investors, and employees are protected.
Processing integrity
• Data are processed accurately, completely, in a timely manner, and only with proper authorization.
Availability
• System and information are available.
43
![Page 44: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/44.jpg)
© Vikash Sinha, 2019
Security lifecycle: a management issue
44
Assess threats and select risk
response
Develop and communicate
policy
Acquire and implement solutions
Monitor performance
Time-based model, security is effective
if:
P > D + C where
P is time it takes an attacker to
break through preventive
controls
D is time it takes to detect an
attack is in progress
C is time it takes to respond to
the attack and take corrective
action
![Page 45: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/45.jpg)
© Vikash Sinha, 2019
Security breach process of criminals
Conduct reconnaissance
Attempt social engineering
Scan and map the target
ResearchExecute the
attackCover tracks
45
![Page 46: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/46.jpg)
© Vikash Sinha, 2019
Examples of different types of controls
46
/ Corrective controls
![Page 47: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/47.jpg)
© Vikash Sinha, 2019
Protecting confidentiality and privacy
Identify and classify information to protect
• Where is it located and who has access?
• Classify value of information to organization
Encryption
• Protect information in transit and in storage
Access controls
• Information Rights Management (IRM)
• Data loss prevention (DLP)
• Digital watermarks
Training
47
![Page 48: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/48.jpg)
© Vikash Sinha, 2019
Processing integrity controls
Input Process Stage
• Forms design
- Sequentially prenumbered
• Turnaround documents
• Cancelation and storage of source documents
• Data entry controls
48
![Page 49: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/49.jpg)
© Vikash Sinha, 2019
Processing integrity: data entry controls
49
• Characters in a field are proper type
Field check
• Data in a field is appropriate sign (positive/negative)
Sign check
• Tests numerical amount against a fixed value
Limit check
• Tests numerical amount against lower and upper limits
Range check
•Input data fits into the fieldSize check
•Verifies that all required data is entered
Completeness check
•Compares data from transaction file to that of master file to verify existence
Validity check
•Correctness of logical relationship between two data items
Reasonableness test
•Recalculating check digit to verify data entry error has not been made
Check digit verification
![Page 50: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/50.jpg)
© Vikash Sinha, 2019
Additional data entry controls
50
Batch processing
• Sequence check -Test of batch data in proper numerical or alphabetical sequence
• Batch totals - Summarize numeric values for a batch of input records
• Financial total
• Hash total
• Record count
Prompting • System prompts you for input (online completeness check)
Closed-loop verification
• Checks accuracy of input data by using it to retrieve and display other related information (e.g., customer account # retrieves the customer name)
![Page 51: Control & Accounting Information System - Aalto](https://reader034.vdocuments.net/reader034/viewer/2022050411/6270a7919f8887532a36015b/html5/thumbnails/51.jpg)
© Vikash Sinha, 2019
Output controls
User review of output
Reconciliation procedures
• Procedures to reconcile to control reports (e.g., general ledger A/R account reconciled to Accounts Receivable Subsidiary Ledger)
• External data reconciliation
Data transmission controls
• Checksums
• Parity bits
51