Chapter 7. 7-1. Learning Objectives. Explain basic control concepts and why computer control and security are important.. Compare and contrast the COBIT, COSO, and ERM control frameworks.. Describe the major elements in the internal environment of a company.. ID: 458694
DownloadNote - The PPT/PDF document "Control and Accounting Information Syste..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Control and Accounting Information Systems
Explain basic control concepts and why computer control and security are important.Compare and contrast the COBIT, COSO, and ERM control frameworks.Describe the major elements in the internal environment of a company.Describe the four types of control objectives that companies need to set.Describe the events that affect uncertainty and the techniques used to identify them.Explain how to assess and respond to risk using the Enterprise Risk Management model.Describe control activities commonly used in companies.Describe how to communicate information and monitor control processes in organizations.
Why Is Control Needed?
Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.The probability that the threat will happen is the likelihood associated with the threat
A Primary Objective of an AIS
Is to control the organization so the organization can achieve its objectivesManagement expects accountants to:Take a proactive approach to eliminating system threats.Detect, correct, and recover from threats when they occur.
Processes implemented to provide assurance that the following objectives are achieved:Safeguard assetsMaintain sufficient recordsProvide accurate and reliable informationPrepare financial reports according to established criteriaPromote and improve operational efficiencyEncourage adherence with management policiesComply with laws and regulations
Functions of Internal Controls
Preventive controlsDeter problems from occurringDetective controlsDiscover problems that are not preventedCorrective controlsIdentify and correct problems; correct and recover from the problems
COBITFramework for IT control COSOFramework for enterprise internal controls (control-based approach)COSO-ERMExpands COSO framework taking a risk-based approach
Current framework version is COBIT5Based on the following principles:Meeting stakeholder needsCovering the enterprise end-to-endApplying a single, integrated frameworkEnabling a holistic approachSeparating governance from management
COBIT5 Separates Governance from Management
Components of COSO Frameworks
Control (internal) environmentRisk assessmentControl activitiesInformation and communicationMonitoring
Internal environmentObjective settingEvent identificationRisk assessmentRisk responseControl activitiesInformation and communicationMonitoring
Management’s philosophy, operating style, and risk appetiteCommitment to integrity, ethical values, and competenceInternal control oversight by Board of DirectorsOrganizing structureMethods of assigning authority and responsibilityHuman resource standards
Strategic objectivesHigh-level goalsOperations objectivesEffectiveness and efficiency of operationsReporting objectivesImprove decision making and monitor performanceCompliance objectivesCompliance with applicable laws and regulations
Identifying incidents both external and internal to the organization that could affect the achievement of the organizations objectivesKey Management Questions:What could go wrong?How can it go wrong?What is the potential harm?What can be done about it?
Risk is assessed from two perspectives:LikelihoodProbability that the event will occurImpactEstimate potential loss if event occursTypes of riskInherentRisk that exists before plans are made to control itResidualRisk that is left over after you control it
ReduceImplement effective internal controlAcceptDo nothing, accept likelihood and impact of riskShareBuy insurance, outsource, or hedgeAvoidDo not engage in the activity
Proper authorization of transactions and activitiesSegregation of dutiesProject development and acquisition controlsChange management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performance
Segregation of Duties
Perform internal control evaluations (e.g., internal audit)Implement effective supervisionUse responsibility accounting systems (e.g., budgets)Monitor system activitiesTrack purchased software and mobile devicesConduct periodic audits (e.g., external, internal, network security)Employ computer security officerEngage forensic specialistsInstall fraud detection softwareImplement fraud hotline
Threat or EventExposure or impactLikelihoodInternal controlsPreventive controlsDetective controlsCorrective controlsGeneral controlsApplication controlsBelief systemBoundary systemDiagnostic control systemInteractive control systemAudit committee
Foreign Corrupt Practices Act (FCPA)Sarbanes-Oxley Act (SOX)Public Company Accounting Oversight Board (PCAOB)Control Objectives for Information and Related Technology (COBIT)Committee of Sponsoring Organizations (COSO)Internal control-integrated framework (IC)Enterprise Risk Management Integrated Framework (ERM)Internal environment
Key Terms (continued)
Risk appetitePolicy and procedures manualBackground checkStrategic objectivesOperations objectivesReporting objectivesCompliance objectivesEventInherent riskResidual riskExpected lossControl activitiesAuthorizationDigital signature
Specific authorizationGeneral authorizationSegregation of accounting dutiesCollusionSegregation of systems dutiesSystems administratorNetwork managerSecurity managementChange managementUsersSystems analystsProgrammersComputer operatorsInformation system library
Key Terms (continued)
Data control groupSteering committeeStrategic master planProject development planProject milestonesData processing scheduleSystem performance measurementsThroughputUtilizationResponse time
Postimplementation reviewSystems integratorAnalytical reviewAudit trailComputer security officer (CSO)Chief compliance officer (CCO)Forensic investigatorsComputer forensics specialistsNeural networksFraud hotline