chapter 7: risk exposures and the internal control structure · internal control internal control...
TRANSCRIPT
Accounting Information Systems:
Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo, Raval,
and Wong-On-Wing
Chapter 7: Risk Exposures
and the Internal Control
Structure
Slides Authored by Somnath Bhattacharya, Ph.D. Florida Atlantic University
Internal Control
Internal Control is a state that management strives to achieve to provide reasonable assurance that the firm’s objectives will be achieved
These controls encompass all the measures and practices that are used to counteract exposures to risks
The control framework is called the Internal Control Structure
Objectives of the Internal
Control Structure
Promoting Effectiveness and Efficiency of Operations
Reliability of Financial Reporting
Safeguarding assets
Checking the accuracy and reliability of accounting data
Compliance with applicable laws and regulations
Encouraging adherence to prescribed managerial policies
Components and Major
Considerations of the IC Structure
Internal Control
Structure
Control
Environment
Risk
Assessment
Control
Activities
Information &
Communication Monitoring
Activities related to Financial Reporting
Activities related to Information
Processing
General
Controls
Application
Controls
Figure 7-1
Control Environment
The Control Environment establishes the tone of a company, influencing the control consciousness of its employees
It is comprised of seven components: • Management philosophy and operating style
• Integrity and ethical values
• Commitment to competence
• The Board of Directors and the Audit Committee
• Organizational Structure
• Assignment of authority and responsibility
• Human resources policies and practices
• External Influences
Management Philosophy and Operating Style Does management emphasize short-term
profits and operating goals over long-term goals? Is management dominated by one or a few
individuals? What type of business risks does
management take and how are these risks managed? Is management conservative or aggressive
toward selecting from available alternative accounting principles?
Figure 7-2
Highlights of CE Components - I
Figure 7-2 Continued
Highlights of CE Components - II
Organization Structure Is an up-to-date organization chart prepared,
showing the names of key personnel?
Is the information systems function separated from incompatible functions?
How is the accounting department organized?
Is the internal audit function separate and distinct from accounting?
Do subordinate managers report to more than one supervisor?
Assignment of Authority and Responsibility Does the company prepare written employee
job descriptions defining specific duties and reporting relationships? Is written approval required for changes
made to information systems? Does the company clearly delineate
employees and managers the boundaries of authority-responsibility relationships? Does the company properly delegate
authority to employees and departments?
Figure 7-2 Continued
Highlights of CE Components - III
Human Resource Policies and Practices Are new personnel indoctrinated with respect to
Internal Controls, Ethics Policies, and Corporate Code of Conduct? Is the company in compliance with the ADA? The
EEOA? Are Grievance Procedures to manage conflict in force? Does the company maintain a sound Employee
Relations program? Do employees work in a safe, healthy environment? Are Counseling Programs available to employees? Are proper Separation Programs in force for
employees who leave the firm? Are critical employees Bonded?
Figure 7-2 Continued
Highlights of CE Components - IV
Key Functions Performed
by Audit Committees
Establish an Internal Audit Department Review the Scope and Status of Audits Review Audit Findings with the Board and
ensure that Management has taken proper action recommended in the Audit Report and Letter of Reportable Conditions Maintain a direct Line of Communication
among the Board, Management, External and Internal Auditors, and periodically arrange Meetings among the parties
Figure 7-3
Key Functions Performed
by Audit Committees
Review the Audited Financial Statements with the Internal Auditors and the Board of Directors Require periodic Quality Reviews of the
operations of the Internal Audit Departments to identify areas needing improvement Supervise special investigations, such as
Fraud Investigations Assess the performance of Financial
Management Require the Review of Compliance with
Laws and Regulations and with Corporate Codes of Conduct
Figure 7-3
Risk Assessment
Top management must be directly involved in Business Risk Assessment.
This involves the Identification and Analysis of Relevant Risks that may prevent the attainment of Company-wide Objectives and Objectives of Organizational Units and the formation of a plan to determine how to manage the risks.
Control Activities - I
Control Activities as related to Financial Reporting may be classified according to their intended uses in a system:
• Preventive Controls block adverse events, such as errors or losses, from occurring
• Detective Controls discover the occurrence of adverse events such as operational inefficiency
• Corrective controls are designed to remedy problems discovered through detective controls
• Security Measures are intended to provide adequate safeguards over access to and use of assets and data records
Control Activities - II
Control Activities relating to Information Processing may also be classified according to where they will be applied within the system
• General controls are those controls that pertain to all activities involving a firm’s AIS and assets
• Application controls relate to specific accounting tasks or transactions
The overall trend seems to be going from specific application controls to more global general controls
Control Activities - III
Performance Reviews
Comparing Budgets to Actual Values
Relating Different Sets of Data-Operating or Financial-to one another, together with Analyses of the relationships and Investigative and Corrective Actions
Reviewing Functional Performance such as a bank’s consumer loan manager’s review of reports by branch, region, and loan type for loan approvals and collections
Information & Communication
All Transactions entered for processing are Valid and Authorized
All valid transactions are captured and entered for processing on a Timely Basis and in Sufficient Detail to permit the proper Classification of Transactions
The input data of all entered transactions are Accurate and Complete, with the transactions being expressed in proper Monetary terms
All entered transactions are processed properly to update all affected records of Master Files and/or Other Types of Data sets
All required Outputs are prepared according to Appropriate Rules to provide Accurate and Reliable Information
All transactions are recorded in the proper Accounting Period
Risk
Business firms face risks that reduce the chances of achieving their control objectives.
Risk exposures arise from internal sources, such as employees, as well as external sources, such as computer hackers.
Risk assessment consists of identifying relevant risks, analyzing the extent of exposure to those risks, and managing risks by proposing effective control procedures.
Figure 7-4
Some Typical Sources of Risk - I
Clerical and Operational Employees, who process transactional data and have access to Assets
Computer Programmers, who have knowledge relating to the Instructions by which transactions are processed
Managers and Accountants, who have access to Records and Financial Reports and often have Authority to Approve Transactions
Figure 7-4 Continued
Some Typical Sources of Risk - II
Former Employees, who may still understand the Control Structure and may harbor grudges against the firm Customers and Suppliers, who generate many
of the transactions processed by the firm Competitors, who may desire to acquire
confidential information of the firm Outside Persons, such as Computer Hackers and
Criminals, who have various reasons to access the firm’s data or its assets or to commit destructive acts Acts of Nature or Accidents, such as floods,
fires, and equipment breakdowns
Types of Risks
Unintentional errors
Deliberate Errors (Fraud)
Unintentional Losses of Assets
Thefts of assets
Breaches of Security
Acts of Violence and Natural Disasters
Factors that Increase Risk
Exposure
Frequency - the more frequent an occurrence of a transaction the greater the exposure to risk
Vulnerability - liquid and/or portable assets contribute to risk exposure
Size of the potential loss - the higher the monetary value of a loss, the greater the risk exposure
Problem Conditions
Affecting Risk Exposures
Collusion (both internal and external), which is the cooperation of two or more people for a fraudulent purpose, is difficult to counteract even with sound control procedures
Lack of Enforcement Management may not prosecute wrongdoers because of the potential embarrassment
Computer crime poses very high degrees of risk, and fraudulent activities are difficult to detect
Computer Crime
Computer crime (computer abuse) is the use of a computer to deceive for personal gain.
Due to the proliferation of networks and personal computers, computer crime is expected to significantly increase both in frequency and amount of loss.
It is speculated that a relatively small proportion of computer crime gets detected and an even smaller proportion gets reported.
Examples of Computer
Crime
Theft of Computer Hardware & Software
Unauthorized Use of Computer Facilities for Personal Use
Fraudulent Modification or Use of Data or Programs
Reasons Why Computers
Cause Control Problems
Processing is Concentrated
Audit Trails may be Undermined
Human Judgment is bypassed
Data are stored in Device-Oriented rather than Human-Oriented forms Invisible Data
Stored data are Erasable
Data are stored in a Compressed form
Stored data are relatively accessible
Computer Equipment is Powerful but Complex and Vulnerable
Feasibility of Controls
Audit Considerations
Cost-Benefit Considerations Determine Specific Computer Resources Subject to Control
Determine all Potential Threats to the company’s Computer System
Assess the Relevant Risks to which the firm is exposed
Measure the Extent of each Relevant Risk exposure in dollar terms
Multiply the Estimated Effect of each Relevant Risk Exposure by the Estimated Frequency of Occurrence over a Reasonable Period, such as a year
Compute the Cost of Installing and Maintaining a Control that is to Counter each Relevant Risk Exposure
Compare the Benefits against the Costs of Each Control
Legislation
The Foreign Corrupt Practices Act of 1977
Of the Federal Legislation governing the use of computers, The Computer Fraud and Abuse Act of 1984 (amended in 1986) is perhaps the most important This act makes it a federal crime to intentionally
access a computer for such purposes as: (1) obtaining top-secret military information, personal, financial or credit information
(2) committing a fraud
(3) altering or destroying federal information
Methods for Thwarting
Computer Abuse
Enlist top-management support so that awareness of computer abuse will filter down through management ranks.
Implement and enforce control procedures.
Increase employee awareness in the seriousness of computer abuse, the amount of costs, and the disruption it creates.
Establish a code of conduct.
Be aware of the common characteristics of most computer abusers.
Methods for Thwarting
Computer Abuse
Recognize the symptoms of computer abuse such as:
behavioral or lifestyle changes in an employee
accounting irregularities such as forged, altered or destroyed input documents or suspicious accounting adjustments
absent or ignored control procedures
the presence of many odd or unusual anomalies that go unchallenged
Encourage ethical behavior
Control Problems Caused by
Computerization: Data Collection
Characteristics Characteristics Risk Exposures CompensatingControls
Data recorded inpaper sourcedocuments
Data sometimescaptured withoutuse of sourcedocuments
Audit trail may bepartially lost
Printed copies ofsource documentsprepared bycomputer systems
Data reviewed forerrors by clerks
Data often notsubject to reviewby clerks
Errors, accidentalor deliberate, maybe entered forprocessing
Edit checksperformed bycomputer system
Manual System Computer-based System
Figure 7-6
Control Problems Caused by
Computerization: Data Processing
Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Processing stepsperformed by clerkswho possess judgment
Processing stepsperformed by CPU“blindly” in accordancewith programinstructions
Errors may causeincorrect results ofprocessing
Outputs reviewed byusers of computersystem; carefullydeveloped computerprocessing programs
Processing stepsamong various clerks inseparate departments
Processing stepsconcentrated withincomputer CPU
Unauthorizedmanipulation of dataand theft of assets canoccur on larger scale
Restricted access tocomputer facilities;clear procedure forauthorizing changes toprograms
Processing requires useof journals and ledgers
Processing does notrequire use of journals
Audit trail may bepartially lost
Printed journals andother analyses
Processing performedrelatively slowly
Processing performedvery rapidly
Effects of errors mayspread rapidly throughfiles
Editing of all dataduring input andprocessing steps
Figure 7-6 Continued
Control Problems Caused by Computerization:
Data Storage & Retrieval
Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Data stored in filedrawersthroughout thevariousdepartments
Data compressedon magneticmedia (e.g.,tapes, disks)
Data may beaccessed byunauthorizedpersons or stolen
Security measuresat points of accessand over datalibrary
Data stored onhard copies inhuman- readableform
Data stored ininvisible,eraseable,computer-readableform
Data aretemporarilyunusable byhumans, andmight possibly belost
Data files printedperiodically;backup of files;protection againstsudden powerlosses
Stored dataaccessible on apiece-meal basisat variouslocations
Stored data oftenreadily accessiblefrom variouslocations viaterminals
Data may beaccessed byunauthorizedpersons
Security measuresat points of access
Figure 7-6 Continued
Control Problems Caused by Computerization:
Information Generation
Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Outputsgeneratedlaboriously andusually in smallvolumes
Outputs generatedquickly and neatly,often in largevolumes
Inaccuracies maybe buried inimpressive-lookingoutputs that usersaccept on faith
Reviews by usersof outputs,including thechecking ofamounts
Outputs usually inhard-copy form
Outputs providedin various forms,including soft-copydisplays and voiceresponses
Information storedon magneticmedia is subject tomodification (onlyhard copyprovidespermanent record)
Backup of files;periodic printing ofstored files ontohard-copy records
Figure 7-6 Continued
Control Problems Caused by
Computerization: Equipment Manual System Computer-based System
Characteristics Characteristics Risk Exposures CompensatingControls
Relatively simple,inexpensive, andmobile
Relativelycomplex,expensive, and infixed locations
Businessoperations may beintentionally orunintentionallyinterrupted; dataor hardware maybe destroyed;
operations may bedelayed throughinefficiencies
Backup of dataand power supplyand equipment;preventivemaintenance ofequipment;restrictions on
access tocomputerfacilities;documentation ofequipment usageand processingproceduresFigure 7-6 Continued
Copyright © 2000 John Wiley & Sons, Inc. All rights reserved.
Reproduction or translation of this work beyond that permitted in
Section 117 of the 1976 United States Copyright Act without the express
written permission of the copyright owner is unlawful. Request for
further information should be addressed to the Permissions Department,
John Wiley & Sons, Inc. The purchaser may make back-up copies for
his/her own use only and not for distribution or resale. The publisher
assumes no responsibility for errors, omissions, or damages, caused by
the use of these programs or from the use of the information contained
herein.
Accounting Information Systems:
Essential Concepts and Applications
Fourth Edition by Wilkinson, Cerullo,
Raval, and Wong-On-Wing