Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | charity-booker |
View: | 226 times |
Download: | 1 times |
Chapter 7
Controlling Information Systems:
Introduction to Internal Control
2
Learning Objectives• Purpose of adequate internal control
• Organizational/IT management control systems
• Relationship between ethics & sound internal control
• Be familiar w/ fraud, computer fraud/abuse
• Understanding of operations process and information process control goals
• Describe major categories of control plans
3
Why Controls?
• To ensure attainment of objectives
• To lessen risks of unwanted outcomes
• Heightened awareness of scandals
• Emphasis by s/h on corporate governance
• Management’s legal responsibilities
• Highly publicized management and employee fraud
4
Common Business Exposures• Erroneous recordkeeping
• Unacceptable accounting
• Business interruption
• Erroneous management decisions
• Fraud and embezzlement
• Statutory sanctions
• Excessive costs
• Loss or destruction of resources
• Competitive disadvantage
5
Fraud and Control
• Fraud: deliberate act or untruth intended to obtain unfair or unlawful gain.
• Management charged with responsibility to prevent and/or disclose fraud.
• Control systems enable management to do this job
6
AICPA definition of Internal Control
• SAS 78 (1995) - adopted COSO definition:
• INTERNAL CONTROL is a process-effected by a an entity’s board of directors, management, and other personnel-designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness & efficiency of operations– Reliability of financial reporting– Compliance with applicable laws & regulations.
7
Five Interrelated Components of Internal Control
1. Control environment- tone at the top
2. Risk assessment - identification/analysis of risks
3. Control activities - policies and procedures
4. Information & communication - processing of info to enable people to do their jobs
5. Monitoring - process that assess quality of internal control over time
8
Gelinas/Sutton’s Working Definition of IC
• …a system of integrated elements - people, structure, processes, and procedures - acting together to provide reasonable assurance that an organization achieves business process goals. The design and operation of the internal control system is the responsibility of top management and therefore should:
9
(cont.)
• Reflect management’s careful assessment of risks.
• Be based on management’s evaluation of costs versus benefits.
• Be built on management’s strong sense of business ethics and personal integrity.
10
General Control Model
Recommendchanges to
system
Evaluatesystem
Documentactual stateof system
Desiredstate ofsystem
Observe actualstate ofsystem
Observations
DocumentationRecommendations
Evaluation
Goals & plans
11
Ethics and Controls
• COSO report stresses ethics as part of control environment (tone at the top)
• AICPA has built ethics issues into CPA exam
• Internal Auditing has ethics articles
• Many corporations have developed Code of Conduct
12
Business Process Control Goals & Control Plans
• Goals - ends to be obtained
– operations process
– information process
• Plans - means to ensure that goals are attained
13
Effectiveness/Efficiency
• Effectiveness
– measure of success in meeting established goals
– For an audit - performing audit in accordance with generally accepted auditing standards
• Efficiency
– measures of productivity of resources applied to goals
– For an audit - performing a .generally accepted auditing standards audit with minimum chargeable hours
14
Generic Control Goals
• Operations process goals:
– Ensure effectiveness of operations
– Ensure efficient employment of resources
– Ensure security of resources
15
Generic Control Goals (cont.)
• Information process goals:
– For transaction inputs, ensure
• Input validity
• Input completeness
• Input accuracy
– For master data, ensure
• update completeness
• update accuracy
16
Control Goals of Operations Process
• Ensure effectiveness of operations– ensure operations process is fulfilling its purpose– satisfying critical success factors
• Ensure efficient employment of resources– prevent unnecessary waste of resources– accomplish goals w/ minimum deployment of
resources
• Ensure security of resources– Lock the door– Lock the computer door (access codes/passwords)
17
Control Goals of Info Process
• For transaction data (temporary; used to update)
– Input validity (approved/authorized)
– Input completeness (all valid captured/entered)
– Input accuracy (correct data entered correctly)
• For master data (permanent; update by trans data)
– Update completeness (all data entered update master)
– Update accuracy (data entered reflected accurately in master)
18
19
Control Plans
• Information processing policies and procedures that assist in accomplishing control goals
– Control environment
– Pervasive control plans
– Application control plans
20
Control Environment
PervasiveControl Plans
ApplicationControl Plans
Overall policies & Procs. Demonstrate commitment to control
Corporate ethics; “Tone at the top”
Address multiple goals & apply to all applications
Access to systems; fidelity bonds.
Relate to specific subsystems or to technology used
Edit checks; Batch totals
21
Control Plans - other classifications
• Preventive
• Detective
• Corrective
• _______________________________
• Discretionary/Nondiscretionary
• Voluntary/Mandatory
• General/Application
22
Learning Objectives
• Purpose of adequate internal control
• Organizational/IT management control systems
• Relationship between ethics & internal control
• Be familiar w/ fraud, computer fraud/abuse
• Understanding of operations process and information process control goals
• Describe major categories of control plans