Chapter 7
Control and AIS
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1
Learning Objectives
Explain basic control concepts and explain why computer control and security are important.
Compare and contrast the COBIT, COSO, and ERM control frameworks.
Describe the major elements in the internal environment of a company
Describe the four types of control objectives that companies need to set.
Describe the events that affect uncertainty and the techniques used to identify them.
Explain how to assess and respond to risk using the Enterprise Risk Management (ERM) model.
Describe control activities commonly used in companies.
Describe how to communicate information and monitor control processes in organizations. 7-2
Internal Control
System to provide reasonable assurance that objectives are met such as: Safeguard assets. Maintain records in sufficient detail to report
company assets accurately and fairly. Provide accurate and reliable information. Prepare financial reports in accordance with
established criteria. Promote and improve operational efficiency. Encourage adherence to prescribed managerial
policies. Comply with applicable laws and regulations.
7-3
Internal Control
Functions
Preventive Deter problems
Detective Discover problems
Corrective Correct problems
Categories
General Overall IC system
and processes
Application Transactions are
processed correctly
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-4
Sarbanes Oxley (2002)
Designed to prevent financial statement fraud, make financial reports more transparent, protect investors, strengthen internal controls, and punish executives who perpetrate fraud Public Company Accounting Oversight Board
(PCAOB) Oversight of auditing profession
New Auditing Rules Partners must rotate periodically Prohibited from performing certain non-audit services
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-5
Sarbanes Oxley (2002)
New Roles for Audit Committee Be part of board of directors and be independent One member must be a financial expert Oversees external auditors
New Rules for Management Financial statements and disclosures are fairly
presented, were reviewed by management, and are not misleading.
The auditors were told about all material internal control weak- nesses and fraud.
New Internal Control Requirements Management is responsible for establishing and
maintaining an adequate internal control system.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-6
SOX Management Rules
Base evaluation of internal control on a recognized framework.
Disclose all material internal control weaknesses.
Conclude a company does not have effective financial reporting internal controls of material weaknesses.
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-7
Internal Control Frameworks
Control Objectives for Information and Related Technology (COBIT) Business objectives IT resources IT processes
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-8
Internal Control Frameworks
Committee of Sponsoring Organizations (COSO) Internal control—integrated framework
Control environment Control activities Risk assessment Information and communication Monitoring
Copyright 2012 © Pearson Education, Inc. publishing as Prentice Hall 7-9
Internal Control Frameworks
Enterprise Risk Management Model Risk-based vs. control-based Components
Internal environment Objective setting Event identification Risk assessment and risk response Control activities Information and communication Monitoring
7-10
Enterprise Risk Management Model
Copyright 2012 © Pearson Education, Inc. publishing as Prentice Hall 7-11
Internal Environment
Management’s philosophy, operating style, and risk appetite
The board of directors
Commitment to integrity, ethical values, and competence
Organizational structure
Methods of assigning authority and responsibility
Human resource standards
External influences
7-12
Objective Setting
Strategic High-level goals aligned with corporate mission
Operational Effectiveness and efficiency of operations
Reporting Complete and reliable Improve decision making
Compliance Laws and regulations are followed
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-13
Event Identification
“…an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives.”
Positive or negative impacts (or both) Events may trigger other events All events should be anticipated
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-14
Risk Assessment
Identify Risk Identify likelihood of risk Identify positive or negative impact
Types of Risk Inherent
Risk that exists before any plans are made to control it
Residual Remaining risk after controls are in place to reduce it
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-15
Risk Response
Reduce Implement effective internal control
Accept Do nothing, accept likelihood of risk
Share Buy insurance, outsource, hedge
Avoid Do not engage in activity that produces risk
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-16
Event/Risk/Response Model
7-17
Control Activities
Policies and procedures to provide reasonable assurance that control objectives are met:
Proper authorization of transactions and activities Signature or code on document to signal authority
over a process
Segregation of duties Project development and acquisition controls Change management controls Design and use of documents and records Safeguarding assets, records, and data Independent checks on performance
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-18
Segregation of Accounting Duties
No one employee should be given too much responsibility
Separate: Authorization
Approving transactions and decisions Recording
Preparing source documents Entering data into an AIS Maintaining accounting records
Custody Handling cash, inventory, fixed assets Receiving incoming checks Writing checks
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-19
Segregation of Accounting Duties
7-20
Segregation of System Duties
Like accounting system duties should also be separated
These duties include: System administration Network management Security management Change management Users Systems analysts Programmers Computer operators Information system librarian Data control
7-21
Information and Communication
Primary purpose of an AIS Gather Record Process Summarize Communicate
Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-22
Monitoring
Evaluate internal control framework.
Effective supervision.
Responsibility accounting system.
Monitor system activities.
Track purchased software and mobile devices.
Conduct periodic audits.
Employ a security officer and compliance officer.
Engage forensic specialists.
Install fraud detection software.
Implement a fraud hotline.7-23