Chapter 7

Controlling Information Systems:

Introduction to Internal Control

2

Learning Objectives• Purpose of adequate internal control

• Organizational/IT management control systems

• Relationship between ethics & sound internal control

• Be familiar w/ fraud, computer fraud/abuse

• Understanding of operations process and information process control goals

• Describe major categories of control plans

3

Why Controls?

• To ensure attainment of objectives

• To lessen risks of unwanted outcomes

• Heightened awareness of scandals

• Emphasis by s/h on corporate governance

• Management’s legal responsibilities

• Highly publicized management and employee fraud

4

Common Business Exposures• Erroneous recordkeeping

• Unacceptable accounting

• Business interruption

• Erroneous management decisions

• Fraud and embezzlement

• Statutory sanctions

• Excessive costs

• Loss or destruction of resources

• Competitive disadvantage

5

Fraud and Control

• Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain.

• Management charged with responsibility to prevent and/or disclose fraud.

• Control systems enable management to do this job

6

AICPA definition of Internal Control

• SAS 78 (1995) - adopted COSO definition:

• INTERNAL CONTROL is a process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• Effectiveness & efficiency of operations– Reliability of financial reporting– Compliance with applicable laws & regulations.

7

Five Interrelated Components of Internal Control

1. Control environment- tone at the top

2. Risk assessment - identification/analysis of risks

3. Control activities - policies and procedures

4. Information & communication - processing of info to enable people to do their jobs

5. Monitoring - process that assess quality of internal control over time

8

Gelinas/Sutton’s Working Definition of IC

• …a system of integrated elements - people, structure, processes, and procedures - acting together to provide reasonable assurance that an organization achieves business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:

9

(cont.)

• Reflect management’s careful assessment of risks.

• Be based on management’s evaluation of costs versus benefits.

• Be built on management’s strong sense of business ethics and personal integrity.

10

General Control Model

Recommendchanges to

system

Evaluatesystem

Documentactual stateof system

Desiredstate ofsystem

Observe actualstate ofsystem

Observations

DocumentationRecommendations

Evaluation

Goals & plans

11

Ethics and Controls

• COSO report stresses ethics as part of control environment (tone at the top)

• AICPA has built ethics issues into CPA exam

• Internal Auditing has ethics articles

• Many corporations have developed Code of Conduct

12

Business Process Control Goals & Control Plans

• Goals - ends to be obtained

– operations process

– information process

• Plans - means to ensure that goals are attained

13

Effectiveness/Efficiency

• Effectiveness

– measure of success in meeting established goals

– For an audit - performing audit in accordance with generally accepted auditing standards

• Efficiency

– measures of productivity of resources applied to goals

– For an audit - performing a .generally accepted auditing standards audit with minimum chargeable hours

14

Generic Control Goals

• Operations process goals:

– Ensure effectiveness of operations

– Ensure efficient employment of resources

– Ensure security of resources

15

Generic Control Goals (cont.)

• Information process goals:

– For transaction inputs, ensure

• Input validity

• Input completeness

• Input accuracy

– For master data, ensure

• update completeness

• update accuracy

16

Control Goals of Operations Process

• Ensure effectiveness of operations– ensure operations process is fulfilling its purpose– satisfying critical success factors

• Ensure efficient employment of resources– prevent unnecessary waste of resources– accomplish goals w/ minimum deployment of

resources

• Ensure security of resources– Lock the door– Lock the computer door (access codes/passwords)

17

Control Goals of Info Process

• For transaction data (temporary; used to update)

– Input validity (approved/authorized)

– Input completeness (all valid captured/entered)

– Input accuracy (correct data entered correctly)

• For master data (permanent; update by trans data)

– Update completeness (all data entered update master)

– Update accuracy (data entered reflected accurately in master)

18

19

Control Plans

• Information processing policies and procedures that assist in accomplishing control goals

– Control environment

– Pervasive control plans

– Application control plans

20

Control Environment

PervasiveControl Plans

ApplicationControl Plans

Overall policies & Procs. Demonstrate commitment to control

Corporate ethics; “Tone at the top”

Address multiple goals & apply to all applications

Access to systems; fidelity bonds.

Relate to specific subsystems or to technology used

Edit checks; Batch totals

21

Control Plans - other classifications

• Preventive

• Detective

• Corrective

• _______________________________

• Discretionary/Nondiscretionary

• Voluntary/Mandatory

• General/Application

22

Learning Objectives

• Purpose of adequate internal control

• Organizational/IT management control systems

• Relationship between ethics & internal control

• Be familiar w/ fraud, computer fraud/abuse

• Understanding of operations process and information process control goals

• Describe major categories of control plans