Chapter 7 7 1 Learning Objectives Explain basic control concepts Compare and contrast the COBIT COSO and ERM control frameworks Describe the major elements in the internal environment of a company ID: 788352
Download The PPT/PDF document "Control and Accounting Information Syste..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Control and Accounting Information Systems
Chapter 7
7-1
Slide2Learning Objectives
Explain basic control concepts
Compare and contrast the COBIT, COSO, and ERM control frameworks.Describe the major elements in the internal environment of a company.Describe the four types of control objectives that companies need to set.
Describe the events that affect uncertainty and the techniques used to identify them.
Explain how to assess and respond to risk using the Enterprise Risk Management model.
Describe control activities commonly used in companies.Describe how to communicate information and monitor control processes in organizations.
7
-
2
Slide3Internal Controls
Processes implemented to provide reasonable assurance that the following objectives are achieved:Safeguard assets
Maintain sufficient recordsProvide accurate and reliable informationPrepare financial reports according to established criteriaPromote and improve operational efficiencyEncourage adherence with management policies
Comply with laws and regulations
7
-3
Slide4Functions of Internal Controls
Preventive controlsDeter problems from occurringDetective controls
Discover problems that are not preventedCorrective controlsIdentify and correct problems; correct and recover from the problems
7
-
4
Slide5SOX AND THE FOREIGN CORRUPT PRACTICES ACT
In 1977, Congress passed the
Foreign Corrupt Practices Act, and to the surprise of the profession, this act incorporated language from an AICPA pronouncement.The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.
A significant side effect was to require that corporations maintain good systems of internal accounting control.
Slide6SOX AND THE FOREIGN CORRUPT PRACTICES ACT
In the late 1990s and early 2000s, a series of multi-million-dollar accounting frauds made headlines.
The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act
of 2002
(aka,
SOX). Applies to publicly held companies and their auditors
Slide7SOX AND THE FOREIGN CORRUPT PRACTICES ACT
The intent of SOX is to:
Prevent financial statement fraudMake financial reports more transparentProtect investors
Strengthen internal controls in publicly-held companies
Punish executives who perpetrate fraud
SOX has had a material impact on the way boards of directors, management, and accountants operate.
Slide8SOX AND THE FOREIGN CORRUPT PRACTICES ACT
Important aspects of SOX include:
Creation of the Public Company Accounting Oversight Board (PCAOB) to oversee the auditing profession.New rules for auditorsNew rules for audit committees
New rules for management
New internal control requirements
Slide9SOX AND THE FOREIGN CORRUPT PRACTICES ACT
After the passage of SOX, the SEC further mandated that:
Management must base its evaluation on a recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter.The report must contain a statement identifying the framework used.
Slide10Control Frameworks
COBITFramework for IT control COSO
Framework for enterprise internal controls (control-based approach)COSO-ERMExpands COSO framework taking a risk-based approach
7
-
10
Slide11COBIT Framework
Current framework version is COBIT5Based on the following principles:Meeting stakeholder needs
Covering the enterprise end-to-endApplying a single, integrated frameworkEnabling a holistic approachSeparating governance from management
7
-
11
Slide12CONTROL FRAMEWORKS
COSO’s Internal Control Framework
The Committee of Sponsoring Organizations (COSO) is a private sector group consisting of:The American Accounting AssociationThe AICPAThe Institute of Internal Auditors
The Institute of Management Accountants
The Financial Executives Institute
Slide13Components of COSO Frameworks
COSO
COSO-ERMControl (internal) environmentRisk assessmentControl activities
Information and communication
Monitoring
Internal environmentObjective settingEvent identificationRisk assessment
Risk response
Control activities
Information and communication
Monitoring
7
-
13
Slide14CONTROL FRAMEWORKS
ERM Framework
Takes a risk-based, rather than controls-based, approach to the organization.Oriented toward future and constant change.Incorporates rather than replaces COSO’s internal control framework and contains three additional elements:
Setting objectives.
Identifying positive and negative events that may affect the company’s ability to implement strategy and achieve objectives.
Developing a response to assessed risk.
Slide15CONTROL FRAMEWORKS
COSO developed a model to illustrate the elements of ERM.
Slide16Objectives
Strategic objectivesHigh-level goalsOperations objectives
Effectiveness and efficiency of operationsReporting objectivesImprove decision making and monitor performanceCompliance objectivesCompliance with applicable laws and regulations
7
-
16
Slide17INTERNAL ENVIRONMENT
The most critical component of the ERM and the internal control framework.
Is the foundation on which the other seven components rest.Influences how organizations:
Establish strategies and objectives
Structure business activities
Identify, access, and respond to riskA deficient internal control environment often results in risk management and control breakdowns.
Slide18Internal Environment
Management’s philosophy, operating style, and risk appetiteCommitment to integrity, ethical values, and competenceInternal control oversight by Board of Directors
Organizing structureMethods of assigning authority and responsibilityHuman resource standards
7
-
18
Slide19INTERNAL ENVIRONMENT
The following human resource policies and procedures are important:
HiringCompensatingTrainingEvaluating and promoting
Discharging
Managing disgruntled employees
Vacations and rotation of dutiesConfidentiality, insurance and fidelity bonds
Slide20OBJECTIVE SETTING
Objective setting is the second ERM component.
It must precede many of the other six components.For example, you must set objectives before you can define events that affect your ability to achieve objectives
Slide21OBJECTIVE SETTING
Top management, with board approval, must articulate why the company exists and what it hopes to achieve.
Often referred to as the corporate vision or mission.Uses the mission statement as a base from which to set corporate objectives.The objectives:Need to be easy to understand and measure.
Should be prioritized.
Should be aligned with the company’s risk appetite.
Slide22EVENT IDENTIFICATION
Events are:
Incidents or occurrences that emanate from internal or external sourcesThat affect implementation of strategy or achievement of objectives.Impact can be positive, negative, or both.
Events can range from obvious to obscure.
Effects can range from inconsequential to highly significant.
Slide23Event Identification
Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectives
Key Management Questions:What could go wrong?How can it go wrong?What is the potential harm?What can be done about it?
7
-
23
Slide24RISK ASSESSMENT AND RISK RESPONSE
The fourth and fifth components of COSO’s ERM model are risk assessment and risk response.
COSO indicates there are two types of risk:Inherent risk
Residual risk
Slide25Risk Assessment
Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat
or an event.The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact
of the threat.
The probability that the threat will happen is the
likelihood associated with the threat7-25
Slide26Risk Response
ReduceImplement effective internal controlAccept
Do nothing, accept likelihood and impact of riskShareBuy insurance, outsource, or hedgeAvoidDo not engage in the activity
7
-
26
Slide27RISK ASSESSMENT AND RISK RESPONSE
Accountants assess and reduce inherent risk using the risk assessment and response strategy
Identify the events or threats
that confront the company
Estimate the likelihood or
probability of each event occurring
Estimate the impact of potential
loss from each threat
Identify set of controls to
guard against threat
Estimate costs and benefits
from instituting controls
Reduce risk by implementing set of
controls to guard against threat
Is it
cost-beneficial
to protect
system
Avoid, share, or accept risk
Yes
No
Slide28RISK ASSESSMENT AND RISK RESPONSE
The expected loss related to a risk is measured as:
Expected loss = impact x likelihoodThe value of a control procedure is the difference between:Expected loss with control procedure
Expected loss without it
Identify the events or threats
that confront the company
Estimate the likelihood or
probability of each event occurring
Estimate the impact of potential
loss from each threat
Identify set of controls to
guard against threat
Estimate costs and benefits
from instituting controls
Reduce risk by implementing set of
controls to guard against threat
Is it
cost-beneficial
to protect
system
Avoid, share, or accept risk
Yes
No
Slide29RISK ASSESSMENT AND RISK RESPONSE
Let’s go through an example:
Hobby Hole is trying to decide whether to install a motion detector system in its warehouse to reduce the probability of a catastrophic theft.A catastrophic theft could result in losses of $800,000.
Local crime statistics suggest that the probability of a catastrophic theft at Hobby Hole is 12%.
Companies with motion detectors only have about a .5% probability of catastrophic theft.
The present value of purchasing and installing a motion detector system and paying future security costs is estimated to be about $43,000.Should Hobby Hole install the motion detectors?
Slide30CONTROL ACTIVITIES
The sixth component of COSO’s ERM model.
Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.
Slide31CONTROL ACTIVITIES
It is critical that controls be in place during the year-end holiday season. A disproportionate amount of computer fraud and security break-ins occur during this time because:
More people are on vacation and fewer around to mind the store.Students are not tied up with school.
Slide32Control Activities
Proper authorization of transactions and activitiesSegregation of dutiesProject development and acquisition controls
Change management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performance
7
-
32
Slide33CONTROL ACTIVITIES
Proper Authorization of Transactions and Activities
Management lacks the time and resources to supervise each employee activity and decision.Consequently, they establish policies and empower employees to perform activities within policy.
This empowerment is called
authorization
and is an important part of an organization’s control procedures.
Slide34CONTROL ACTIVITIES
Typically at least two levels of authorization:
General authorizationManagement authorizes employees to handle routine transactions without special approval.Special authorization
For activities or transactions that are of significant consequences, management review and approval is required.
Might apply to sales, capital expenditures, or write-offs over a particular dollar limit.
Management should have written policies for both types of authorization and for all types of transactions.
Slide35CONTROL ACTIVITIES
Segregation of Duties
Good internal control requires that no single employee be given too much responsibility over business transactions or processes.An employee should not be in a position to commit and
conceal fraud or unintentional errors.
Segregation of duties is discussed in two sections:
Segregation of accounting dutiesSegregation of duties within the systems function
Slide36Segregation of Duties
7
-
36
Slide37CONTROL ACTIVITIES
Segregation of Duties Within the Systems Function
In a highly integrated information system, procedures once performed by separate individuals are combined.Therefore, anyone who has unrestricted access to the computer, its programs, and live data could have the opportunity to perpetrate and conceal fraud.
To combat this threat, organizations must implement effective segregation of duties within the IS function.
Slide38CONTROL ACTIVITIES
Authority and responsibility must be divided clearly among the following functions:
Systems administrationNetwork managementSecurity managementChange management
Users
Systems analysts
ProgrammingComputer operationsInformation systems libraryData control
Slide39CONTROL ACTIVITIES
Project Development and Acquisition Controls
It’s important to have a formal, appropriate, and proven methodology to govern the development, acquisition, implementation, and maintenance of information systems and related technologies.Should contain appropriate controls for:Management review and approval
User involvement
Analysis
DesignTestingImplementationConversion
Slide40CONTROL ACTIVITIES
Change Management Controls
Organizations constantly modify their information systems to reflect new business practices and take advantage of information technology advances.Change management is the process of making sure that the changes do not negatively affect:Systems reliability
Security
Confidentiality
IntegrityAvailability
Slide41CONTROL ACTIVITIES
Design and Use of Adequate Documents and Records
Proper design and use of documents and records helps ensure accurate and complete recording of all relevant transaction data.Form and content should be kept as simple as possible to:
Promote efficient record keeping
Minimize recording errors
Facilitate review and verificationDocuments that initiate a transaction should contain a space for authorization.Those used to transfer assets should have a space for the receiving party’s signature.
Slide42CONTROL ACTIVITIES
Safeguard Assets, Records, and Data
When people consider safeguarding assets, they most often think of cash and physical assets, such as inventory and equipment.Another company asset that needs to be protected is information.
Slide43CONTROL ACTIVITIES
Independent checksTop-level reviews
Analytical reviewsReconciliation of independently maintained sets of recordsComparison of actual quantities with recorded amounts
Double-entry accounting
Independent review
Slide44INFORMATION AND COMMUNICATION
The seventh component of COSO’s ERM model.
The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization.So accountants must understand how:
Transactions are initiated
Data are captured in or converted to machine-readable form
Computer files are accessed and updatedData are processedInformation is reported to internal and external parties
Slide45MONITORING
The eighth component of COSO’s ERM model.
Monitoring can be accomplished with a series of ongoing events or by separate evaluations.
Slide46Monitoring
Perform internal control evaluations (e.g., internal audit)Implement effective supervision
Use responsibility accounting systems (e.g., budgets)Monitor system activitiesTrack purchased software and mobile devicesConduct periodic audits (e.g., external, internal, network security)Employ computer security officerEngage forensic specialists
Install fraud detection software
Implement fraud hotline
7-46