PowerPoint Presentation

Control and Accounting Information Systems

Chapter 77-1Copyright 2015 Pearson Education, Inc.Copyright 2015 Pearson Education, Inc.1Learning ObjectivesExplain basic control concepts and why computer control and security are important.

Compare and contrast the COBIT, COSO, and ERM control frameworks.

Describe the major elements in the internal environment of a company.

Describe the four types of control objectives that companies need to set.

Describe the events that affect uncertainty and the techniques used to identify them.

Explain how to assess and respond to risk using the Enterprise Risk Management model.

Describe control activities commonly used in companies.

Describe how to communicate information and monitor control processes in organizations.

7-2Copyright 2015 Pearson Education, Inc.Why Is Control Needed?Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization is referred to as a threat or an event.

The potential dollar loss should a particular threat become a reality is referred to as the exposure or impact of the threat.

The probability that the threat will happen is the likelihood associated with the threat

7-3Copyright 2015 Pearson Education, Inc.Many organizations have real risks by not adequately protecting their data. Although they may see the threat of the risk, many organizations underestimate the impact and the likleihood that a threat will occur. 3A Primary Objective of an AISIs to control the organization so the organization can achieve its objectives

Management expects accountants to:Take a proactive approach to eliminating system threats.Detect, correct, and recover from threats when they occur.

7-4Copyright 2015 Pearson Education, Inc.Internal ControlsProcesses implemented to provide assurance that the following objectives are achieved:Safeguard assetsMaintain sufficient recordsProvide accurate and reliable informationPrepare financial reports according to established criteriaPromote and improve operational efficiencyEncourage adherence with management policiesComply with laws and regulations 7-5Copyright 2015 Pearson Education, Inc.Good internal controls are necessary for an organization to achieve its goals. 5Functions of Internal ControlsPreventive controlsDeter problems from occurringDetective controlsDiscover problems that are not preventedCorrective controlsIdentify and correct problems; correct and recover from the problems7-6Copyright 2015 Pearson Education, Inc.In addition to the functions of internal controls, controls are segregated into two categories:General controls which ensure that organizations control environment is stable and well managed.Application controls that prevent, detect, and correct transaction errors and fraud in application programs.6Control FrameworksCOBITFramework for IT control COSOFramework for enterprise internal controls (control-based approach)COSO-ERMExpands COSO framework taking a risk-based approach 7-7Copyright 2015 Pearson Education, Inc.COBIT FrameworkCurrent framework version is COBIT5Based on the following principles:Meeting stakeholder needsCovering the enterprise end-to-endApplying a single, integrated frameworkEnabling a holistic approachSeparating governance from management7-8Copyright 2015 Pearson Education, Inc.The COBIT framework has evolved over the years and each time there are major changes to the framework, the framework is numbered to its current version. The current version of COBIT for IT controls is COBIT5.

The benefit of a standard framework for IT controls is that it allows:Management to benchmark their environments and compare it to other organizationsBecause the framework is comprehensive, it provides assurances that IT security and controls exist Allows auditors to substantiate their internal control opinions

The framework is based on the five principles:Meeting stakeholders needs means that enterprises exist to create value to their shareholders. Thus, the governance objective is value creation.Covering the enterprise from end-to-end means that COBIT5 addresses governance and management of information and information-related technologies throughout the enterprise. This means that it is not focused solely on the IT function as information technology runs throughout the enterprise.Applying a single, integrated framework means that COBIT5 can align with other governance frameworks such as COSO and COSO-ERM.Enabling a holistic approach includes the following enablers:Processes-a set of activities to achieve an overall IT related goalOrganizational structureskey decision-making entityCulture, ethics, and behavior of individuals and the organizationPrinciples and policies guide the day-to-day managementInformationInfrastructure, technology, and applicationsPeople, skills, and competencies

8COBIT5 Separates Governance from Management

7-9Copyright 2015 Pearson Education, Inc.9Components of COSO FrameworksCOSOCOSO-ERMControl (internal) environmentRisk assessmentControl activitiesInformation and communicationMonitoringInternal environmentObjective settingEvent identificationRisk assessmentRisk responseControl activitiesInformation and communicationMonitoring

7-10Copyright 2015 Pearson Education, Inc.The major difference between COSO and COSO-ERM is that COSO-ERMs focus is on a risk-based approach and the components are expanded for this approach (objective setting, event identification, and risk response are added).

All of the other components are similar.10Internal EnvironmentManagements philosophy, operating style, and risk appetiteCommitment to integrity, ethical values, and competenceInternal control oversight by Board of DirectorsOrganizing structureMethods of assigning authority and responsibilityHuman resource standards7-11Copyright 2015 Pearson Education, Inc.The internal environment establishes the foundation for all other components of the internal control model.

Assessing the internal environment involves observance of the organizational behavior of management actions and evaluation of policies and procedures. For example, is there a written code of conduct that explicitly describes honest and dishonest behaviors. Does the company exhibit good hiring practices to by evaluating qualified applicants and conducting thorough background checks.11Objective SettingStrategic objectivesHigh-level goalsOperations objectivesEffectiveness and efficiency of operationsReporting objectivesImprove decision making and monitor performanceCompliance objectivesCompliance with applicable laws and regulations7-12Copyright 2015 Pearson Education, Inc.Objective setting is what the company hopes to achieve. This is broken down into four categories beginning from a high level to specific levels.Strategic objectives are high-level goals and may include considerations that involve the organizational direction relating to governance, business model, or strategy (e.g., grow market share)

Operations objectives involve the operations which we can think of as people, process, and technology. Examples of these types of objectives include internal controls, supply chain and distribution, human resources.

Reporting objectives ensure the accuracy and reliability of your reports. This would include objectives covering access to the systems and protecting the IT systems. In addition, ensuring adequate management review of the reports.

Compliance objectives are focused on the compliance of all applicable laws and regulations. Many industries have specific regulations (e.g., food manufacturing and financial services). In addition, there are local, state, and federal laws that organizations must comply with meaning that there are environmental, legal, and contractual compliance considerations.

It is also noted at the high level that an organizations risk appetite (how much risk is an organization willing to take?) and risk tolerance is formed. So in other words, there are trade-offs with risk in organizations. Organizations need to think about how much risk they are willing to take for a certain level of return. Of course there are uncertainties, that is why thinking about risk is so important.12Event IdentificationIdentifying incidents both external and internal to the organization that could affect the achievement of the organizations objectivesKey Management Questions:What could go wrong?How can it go wrong?What is the potential harm?What can be done about it?7-13Copyright 2015 Pearson Education, Inc.Risk is two-sided:Opportunities (upside to uncertainty)Risk (downside to uncertainty)

For example, a chocolate manufacturer that relies on sourcing its cacao beans from certain regions in Africa to get their signature blend of chocolate flavor for their truffles. Their organizational objective is to increase revenues and profitability.What could go wrong?We may not get enough supply of cacao beans to meet our customer demand.

How can it go wrong?It is possible that the weather conditions produced a smaller crop limiting the supply; orit is possible that a civil war broke out in the African region and the crop produced, but no one wasthere to get the product off the trees in time due to the war.

What is the potential harm?The cost of our cacao beans will go up do to limited supply, it will have an impact on our customers as wemay have to increase our prices.

What can be done about it?If we buy cacao bean futures on the market we may be able to hedge any potential risk due to our supply of cacao required to meet our customer demand to achieve our organizational goals of increasing revenues and profitability. 13Risk AssessmentRisk is assessed from two perspectives:LikelihoodProbability that the event will occurImpactEstimate potential loss if event occurs

Types of riskInherentRisk that exists before plans are made to control itResidualRisk that is left over after you control it7-14Copyright 2015 Pearson Education, Inc.Risk assessment is perhaps the most difficult step for organizations because once they identify what can go wrong, organizations need to think about the probability that it actually will happen and estimate costs. This truly can be a daunting task with a lot of uncertainty!

Many organizations will look at this task from a qualitative and quantitative perspective provided that they have enough data. From a qualitative perspective, management can simply assign high, medium, or low risk based upon their collective discussion. After assessing all the risks identified in this manner, a heat map can be generated to determine which risks have high (usually a red color), medium (orange color), or low (yellow color).

Quantitative analysis can examine probabilistic techniques to model the cashflow or earnings based upon the risk identified.14Risk ResponseReduceImplement effective internal controlAcceptDo nothing, accept likelihood and impact of riskShareBuy insurance, outsource, or hedgeAvoidDo not engage in the activity7-15Copyright 2015 Pearson Education, Inc.Management can respond to risk in four ways:Reduce the amount of risk by implementing internal controlsDo nothing and accept the likelihood and impact of the riskShare the risk by buying insurance, doing a joint venture, or hedging transactions (chocolate company example in slide 7-13 notes)Avoid the risk entirely and sell off a division or not manufacture that product line 15Control ActivitiesProper authorization of transactions and activitiesSegregation of dutiesProject development and acquisition controlsChange management controlsDesign and use of documents and recordsSafeguarding assets, records, and dataIndependent checks on performance7-16Copyright 2015 Pearson Education, Inc.16Segregation of Duties

7-17Copyright 2015 Pearson Education, Inc.Good internal control requires that no single employee of a company have too much responsibility over transactions and business processes. Segregation of duties prevents an employee from committing and concealing fraud. The three functions that need to be segregated are:Custodial function which handles cash and assets (inventory, fixed assets)Recording function which involves preparing source documents, entering data into the system, maintaining journals or data files , and performing reconciliations of accountsAuthorizing function which involves approving transactions and decisions

In addition, from a systems perspective there is segregation of duties as to divide authority and responsibility between the following systems functions System administrationNetwork managementSecurity managementChange managementUsersSystems analystsProgrammersComputer operatorsInformation system librarianData control

17MonitoringPerform internal control evaluations (e.g., internal audit)Implement effective supervisionUse responsibility accounting systems (e.g., budgets)Monitor system activitiesTrack purchased software and mobile devicesConduct periodic audits (e.g., external, internal, network security)Employ computer security officerEngage forensic specialistsInstall fraud detection softwareImplement fraud hotline7-18Copyright 2015 Pearson Education, Inc.18Key TermsThreat or EventExposure or impactLikelihoodInternal controlsPreventive controlsDetective controlsCorrective controlsGeneral controlsApplication controlsBelief systemBoundary systemDiagnostic control systemInteractive control systemAudit committeeForeign Corrupt Practices Act (FCPA)Sarbanes-Oxley Act (SOX)Public Company Accounting Oversight Board (PCAOB)Control Objectives for Information and Related Technology (COBIT)Committee of Sponsoring Organizations (COSO)Internal control-integrated framework (IC)Enterprise Risk Management Integrated Framework (ERM)Internal environment

7-19Copyright 2015 Pearson Education, Inc.Key Terms (continued)Risk appetitePolicy and procedures manualBackground checkStrategic objectivesOperations objectivesReporting objectivesCompliance objectivesEventInherent riskResidual riskExpected lossControl activitiesAuthorizationDigital signatureSpecific authorizationGeneral authorizationSegregation of accounting dutiesCollusionSegregation of systems dutiesSystems administratorNetwork managerSecurity managementChange managementUsersSystems analystsProgrammersComputer operatorsInformation system library7-20Copyright 2015 Pearson Education, Inc.Key Terms (continued)Data control groupSteering committeeStrategic master planProject development planProject milestonesData processing scheduleSystem performance measurementsThroughputUtilizationResponse time

Postimplementation reviewSystems integratorAnalytical reviewAudit trailComputer security officer (CSO)Chief compliance officer (CCO)Forensic investigatorsComputer forensics specialistsNeural networksFraud hotline7-21Copyright 2015 Pearson Education, Inc.