© 2006 Prentice Hall Business Publishing Accounting Information Systems, 10/e Romney/Steinbart 1 of 314

C HAPTER 6

Control and Accounting Information Systems

OVERVIEW OF CONTROL CONCEPTS

• Internal control is the process implemented by the board of directors, management, and those under their direction to provide reasonable assurance that the following control objectives are achieved:– Assets (including data) are safeguarded.– Records are maintained in sufficient detail to accurately and

fairly reflect company assets. – Accurate and reliable information is provided.– There is reasonable assurance that financial reports are

prepared in accordance with GAAP.– Operational efficiency is promoted and improved.– Adherence to prescribed managerial policies is encouraged.– The organization complies with applicable laws and regulations.

OVERVIEW OF CONTROL CONCEPTS

• Internal controls are often classified as:– General controls

• e.g. software acquisition/installation controls, that apply to all size of systems.

– Application controls• Completeness Check• Accuracy Check

Legislative Reaction to Fraud: THE FOREIGN CORRUPT PRACTICES ACT

• In 1977, Congress passed the Foreign Corrupt Practices Act.

• The primary purpose of the act was to prevent the bribery of foreign officials to obtain business.

• A significant effect was to require that corporations maintain good systems of internal accounting control.

Legislative Reaction to Fraud: SOX

– The impact on financial markets was substantial, and Congress responded with passage of the Sarbanes-Oxley Act of 2002 (aka, SOX).

Legislative Reaction to Fraud: SOX

• The intent of SOX is to:– Prevent financial statement fraud– Make financial reports more transparent– Protect investors– Strengthen internal controls in publicly-held

companies– Punish executives who perpetrate fraud

• SOX has had a material impact on the way boards of directors, management, and accountants operate.

Legislative Reaction to Fraud: SOX

• Important aspects of SOX include:– Creation of the Public Company Accounting Oversight

Board (PCAOB) to oversee the auditing profession.– New rules for auditors– New rules for audit committees– New rules for management– New internal control requirements

Legislative Reaction to Fraud: SOX

• After the passage of SOX, the SEC further mandated that:– Management must base its evaluation on a

recognized control framework, developed using a due-process procedure that allows for public comment. The most likely framework is the COSO model discussed later in the chapter.

– The report must contain a statement identifying the framework used.

– Management must disclose any and all material internal control weaknesses.

– Management cannot conclude that the company has effective internal control if there are any material weaknesses.

• Levers of Control (pp 194 -195) skip

CONTROL FRAMEWORKS

• A number of frameworks have been developed to help companies develop good internal control systems. Three of the most important are:– The COBIT framework– The COSO internal control framework– COSO’s Enterprise Risk Management

framework (ERM)• An enhanced corporate governance document.• Expands on elements of preceding framework.• Provides a focus on the broader subject of enterprise risk

management.

COSO’S ERM

• COSO developed a model to illustrate the elements of ERM.

INTERNAL ENVIRONMENT

• The most critical component of the ERM and the internal control framework.

• Is the foundation on which the other seven components rest.

• Influences how organizations:– Establish strategies and

objectives– Structure business activities– Identify, access, and respond

to risk• A deficient internal control

environment often results in risk management and control breakdowns.

INTERNAL ENVIRONMENT

• Internal environment consists of the following:– Management’s attitude toward risk– Commitment to integrity, ethical values, and

competence– Organizational structure– Methods of assigning authority and responsibility– Human resource standards (Background Check)

ROBA = Risk, Organizational structure, Background check, Assigning Responsibility.

OBJECTIVE SETTING

• The objective of the Sarbanes-Oxley Act is to strengthen internal controls in public companies.

• AICPA’s five objectives for accounting information systems.

EVENT IDENTIFICATION

• Events are:– Incidents or occurrences

that emanate from internal or external sources

– Impact can be positive, negative, or both.

– System design should identify all potential events.

RISK ASSESSMENT AND RISK RESPONSE

– Inherent risk:• The risk before

internal controls

– Residual risk• The risk after

management implements internal controls.

RISK ASSESSMENT AND RISK RESPONSE

Identify the events or threatsthat confront the company

Estimate the likelihood orprobability of each event occurring

Estimate the impact of potentialloss from each threat

Identify set of controls toguard against threat

Estimate costs and benefitsfrom instituting controls

Reduce risk by implementing set ofcontrols to guard against threat

Is itcost-

beneficial

to protectsystem

Avoid, share, or accept

risk

Yes

No

Threats

Probability

Impact of Loss

Identify Controls

Cost and Benefits

CONTROL ACTIVITIES

• The sixth component of COSO’s ERM model.

• Control activities are policies, procedures, and rules that provide reasonable assurance that management’s control objectives are met and their risk responses are carried out.

CONTROL ACTIVITIES

• Generally, control procedures fall into one of the following categories:-Proper authorization of transaction

-Segregation of duties

-Change management controls• Design and use of documents and records

– Documents that initiate a transaction should contain a space for authorization

• Safeguard assets, records, and data• Independent checks on performance

CONTROL ACTIVITIES

• To learn a little about segregation of duties, let’s first meet Bill.

CONTROL ACTIVITIES

• Bill has charge of a pile of the organization’s money—let’s say $1,000.

CONTROL ACTIVITIES

• Bill also keeps the books for that money.

Ledger

$1,000

CONTROL ACTIVITIES

• Bill has a date tonight, and he’s a little desperate to impress that special someone, so he takes $100 of the cash. (Thinks he’s only borrowing it, you know.)

Ledger

$1,000

CONTROL ACTIVITIES

• Bill has a date tonight, and he’s a little desperate to impress that special someone, so he takes $100 of the cash. (Thinks he’s only borrowing it, you know.)

Ledger

$1,000

CONTROL ACTIVITIES

• Bill also records an entry in the books to show that $100 was spent for some “legitimate” purpose. Now the balance in the books is $900.

Ledger

$1,000

CONTROL ACTIVITIES

• How will Bill ever get caught at his theft?

Ledger

$900

CONTROL ACTIVITIES

• Now let’s change the story. Bill has charge of the pile of cash.

CONTROL ACTIVITIES

• But Mary keeps the books.• This arrangement is a form of segregation of duties.

Ledger

$1,000

CONTROL ACTIVITIES

• Bill gets in a pinch again and takes $100 of the organization’s cash.

Ledger

$1,000

CONTROL ACTIVITIES

• How will Bill get caught?

Ledger

$1,000

CONTROL ACTIVITIES

• Segregation of Accounting Duties– Effective segregation of accounting duties is achieved

when the following functions are separated:• Authorization—approving transactions and decisions.• Recording—Preparing source documents; maintaining

journals, ledgers, or other files; preparing reconciliations; and preparing performance reports.

• Custody—Handling cash, maintaining an inventory storeroom, receiving incoming customer checks, writing checks on the organization’s bank account.

– If any two of the preceding functions are the responsibility of one person, then problems can arise.

CONTROL ACTIVITIES

CUSTODIAL FUNCTIONS

• Handling cash

• Handling inventories, tools, or fixed assets

• Writing checks

• Receiving checks in mail

AUTHORIZATION FUNCTIONS

• General Authorization

• Specific authorization

RECORDING FUNCTIONS

• Preparing source documents

• Maintaining journals, ledgers, or other files

• Preparing reconciliations

• Preparing performance reports

Can you tell me what seems wrong?

• An employee receiving checks in the mail and records receipts in the Cash Receipts journal

• An employee authorizes credit sales and has custody of Finished Goods Inventory

• An employee enters sales transactions into the accounting system and has custody of Finished Goods inventory.

• An employee receives checks in the mail and has access to the Petty Cash Fund.

CONTROL ACTIVITIES

• In a system that incorporates an effective separation of duties, it should be difficult for any single employee to commit embezzlement successfully.

• But when two or more people collude, then segregation of duties becomes impotent and controls are overridden.

CONTROL ACTIVITIES

• If this happens . . .

Ledger

$1,000

CONTROL ACTIVITIES

Ledger

$1,000

• Then segregation of duties is out the window. Collusion overrides segregation.

CONTROL ACTIVITIES

• Generally, control procedures fall into one of the following categories:– Proper authorization of transactions and activities– Segregation of duties– Project development and acquisition controls

• Strategic master plan

– Change management controls– Design and use of documents and records– Safeguard assets, records, and data– Independent checks on performance

CONTROL ACTIVITIES

• Let’s look at Bill and Mary again. Assume that Bill stole cash but Mary did NOT alter the books.

Ledger

$1,000

CONTROL ACTIVITIES

• Can Bill’s theft be discovered if an independent party doesn’t compare a count of the cash to what’s recorded on the books?

Ledger

$1,000

CONTROL ACTIVITIES

• Segregation of duties only has value when supplemented by independent checks.

Ledger

$1,000

CONTROL ACTIVITIES

• The following independent checks are typically used:– Top-level reviews– Analytical reviews– Reconciliation of independently maintained

sets of records– Comparison of actual quantities with recorded

amounts

CONTROL ACTIVITIES

• The following independent checks are typically used:– Top-level reviews– Analytical reviews

• Examinations of relationships between different sets of data.

• EXAMPLE: If credit sales increased significantly during the period and there were no changes in credit policy, then bad debt expense should probably have increased also.

• Management should periodically analyze and review data relationships to detect fraud and other business problems.

INFORMATION AND COMMUNICATION

• The seventh component of COSO’s ERM model.

• The primary purpose of the AIS is to gather, record, process, store, summarize, and communicate information about an organization.

• So accountants must understand how:– Transactions are initiated– Data are captured in or

converted to machine-readable form

– Computer files are accessed and updated

– Data are processed– Information is reported to

internal and external parties

INFORMATION AND COMMUNICATION

• According to the AICPA, an AIS has five primary objectives:– Identify and record all valid transactions.– Properly classify transactions.– Record transactions at their proper monetary

value.– Record transactions in the proper accounting

period.– Properly present transactions and related

disclosures in the financial statements.

MONITORING

• Internal Monitoring

• When independent auditors come to clients’ site, it is an independent review, not an operation monitoring.

MONITORING

• Key methods of monitoring performance include:

– Implement effective supervision– Monitor system activities– Track purchased software licenses.– Employ internal auditors to review the system– Employ a computer security officer – Install fraud detection software– Implement a fraud hotline