Accounting Chapter 7 Homework Cosos Internal Control Model Has Five Crucial Components Provided Table 71 Page

CHAPTER 7

CONTROL AND ACCOUNTING INFORMATION SYSTEMS

Instructor’s Manual

Learning Objectives:

1. Explain basic control concepts and why computer control and

security are important.

3. Describe the major elements in the internal environment of a

company.

5. Describe the events that affect uncertainty and the techniques

used to identify them.

7. Describe control activities commonly used in companies.

8. Describe how to communicate information and monitor control

processes in organizations.

Introduction

Why Accounting Information Systems Threats Are Increasing

More than 60 percent of organizations have recently experienced a

major control failure for some of the following reasons:

1. Increase in number of information systems means that

3. Wide area networks are giving customers and suppliers

access to each other’s systems and data, making

confidentiality a major concern

Some of the reasons why organizations do not adequately protect

there data are:

Page 2 of 28

4. Productivity and cost pressures have motivated management

to forgo time-consuming control measures.

Any potential adverse occurrence or unwanted event that could be

injurious to either the accounting information system or the

organization is referred to as a threat or an event.

Why Control and Security Are Important

As an accountant you must have a good understanding of

Information Technology (IT) and it’s capabilities and risks.

Although internal control objectives remain the same regardless

of the data processing method, a computer-based AIS requires

different internal control policies and procedures.

Management expects accountants to:

1. Take a proactive approach to eliminating system threats.

Overview of Control Concepts

My simple definition of internal control is:

Page 3 of 28

Internal control is the process implemented by the board of

directors, management, and those under their direction to provide

reasonable assurance that the following control objectives are

achieved:

1. Safeguarding assets, including preventing or detecting, on

3. Providing accurate and reliable information

5. Promoting and improving operational efficiency, including

6. Encouraging adherence to prescribed managerial policies

7. Complying with applicable laws and regulations

Preventive controls deter problems before they arise; anticipate

the problem.

Detective controls discover problems as soon as they arise; what

we normally call in auditing “following the problem.”

Again in auditing, in addition to reporting the cause of

problems, we were required to give management the effect of the

problem that answers management’s reply: “So what?”

General controls are designed to make sure an organization’s

control environment is stable and well managed.

Some of the more important general controls are:

2. Security management controls

4. Software acquisition, development, and maintenance

controls

Page 4 of 28

Application controls prevent, detect, and correct transaction

errors and fraud. They are concerned with the accuracy,

completeness, validity, and authorization of the data.

The Sarbanes-Oxley and Foreign Corrupt Practices Acts

The Foreign Corrupt Practices Act (1977)

The primary purpose of this Act was to prevent the

bribery of foreign officials in order to obtain

business.

The Sarbanes-Oxley Act of 2002

Applies to publicly held companies and their auditors

Some of the important aspects of The Sarbanes-Oxley Act

are:

1. Public Company Accounting Oversight Board (PCAOB)

2. New rules for auditors

Auditors must report specific information to the

company’s audit committee, such as critical

3. New roles for audit committees

4. New rules for management

Requires the CEO and CFO to certify that financial

statements and disclosures are fairly presented, were

reviewed by management, and are not misleading.

Management can be imprisoned up to 20 years and fined

up to $5,000,000.

Page 5 of 28

The following provides Websites for news regarding

the Enron and WorldCom scandals:

Enron Traders Caught on Tape

5. New internal control requirements

Requires publicly held companies to issue a report

accompanying the financial statements that states

management is responsible for establishing and

maintaining an adequate internal control structure

and appropriate control procedures.

Page 6 of 28

1. Base its evaluation on a recognized control

framework. The most likely frameworks are formulated

by The Committee of Sponsoring Organizations (COSO).

Levers of Control

Many people feel there is a basic conflict between creativity and

controls. In other words, you can’t have both.

Four levels of control to help companies to reconcile this

conflict:

1. The first is a concise belief system that

2. A boundary system helps employees act ethically by

3. To ensure the efficient and effective achievement of

4. An interactive control system helps top-level

managers with high-level activities that demand

frequent and regular attention, such as developing

company strategy, setting company objectives,

understanding and assessing threats and risks,

monitoring changes in competitive conditions and

emerging technologies, and developing responses and

action plans to proactively deal with these high–

level issues

Multiple Choice 1

What type of internal controls finds the problem before it occurs?

a. detective controls

Multiple Choice 2

The Public Company Accounting Oversight Board consists of

a. 7 members

b. 3 members

c. 5 members

Page 7 of 28

d. 6 members

Control Frameworks

COBIT Framework

The Information Systems Audit and Control Foundation (ISACF)

developed the Control Objectives for Information and related

Technology (COBIT) framework. COBIT is a framework of generally

applicable information systems security and controls practices of

Information Technology control.

The framework allows

1. Management to benchmark the security and control

practices of Information Technology environments

The framework addresses the issue of control from three

dimensions:

1. Business objectives. To satisfy business objectives,

information must conform to criteria called business

requirement for information.

To satisfy business objectives, information must conform

to certain criteria referred to as “business

requirements for information.”

2. Information Technology resources. This includes people,

application systems, technology, facilities, and data

3. Information Technology processes

These are broken into four domains:

▪ Planning and organization

The Committee of Sponsoring Organizations Internal Control

Framework

The Committee of Sponsoring Organizations (COSO) is a

private-sector group consisting of the American Accounting

Association, the AICPA, the Institute of Internal Auditors,

the Institute of Management Accountants, and the Financial

Executives Institute.

COSO’s internal control model has five crucial components,

provided in Table 7-1 on page 187:

1. Control environment

3. Risk assessment

5. Monitoring

COSO’s Enterprise Risk Management Framework

Enterprise Risk Management—Integrated Framework (ERM)

Page 9 of 28

The purpose is to achieve all the goals of the control

framework and help the organization to:

1. Provide reasonable assurance that company objectives

2. Achieve its financial and performance targets

3. Assess risks continuously and identify the steps to

4. Avoid adverse publicity and damage to the entity’s

reputation

The basic principles behind enterprise risk management are:

2. Company management must decide how much uncertainty

it will accept as it creates value.

3. Uncertainty results in risk, which is the possibility

4. Uncertainty can also result in an opportunity, which

5. The Enterprise Risk Management—Integrated Framework

The elements of the ERM are provided in a model shown in

Figure 7-1 on page 188.

Strategic objectives are high-level goals that are aligned

with and support the company’s mission.

Strategic planning is designed to help managers answer

critical questions in a business. These questions include:

1. What is the organization’s position in the

marketplace?

2. What does the organization want its position to be?

Page 10 of 28

organization achieve its goals?

Operations objectives deal with the effectiveness and

efficiency of the company operations, such as performance

and profitability goals and safeguarding assets.

The eight interrelated risk and control components of COSO

are listed in Figure 7-1 on page 188.

1. Internal environment. This is the tone or culture of

2. Objective setting. ERM ensures that company

management puts into place a process to formulate

3. Event identification. ERM requires management to

4. Risk assessment. Identified risks are assessed to

determine how to manage them and how they affect the

company’s ability to achieve its objectives.

5. Risk response. To align identified risks with the

6. Control activities. To implement management’s risk

7. Information and communication. Information about the

8. Monitoring. To remain effective, ERM processes must

be monitored on an ongoing basis and modified as

needed.

The ERM Framework versus the Internal Control Framework

Page 11 of 28

The internal control framework has been widely adopted as

the principal way to evaluate internal controls, as

required by the Sarbanes-Oxley Act. However, it has too

narrow a focus.

The ERM is a more comprehensive framework which takes a

risk-based, rather than a controls-based approach to the

organization that is oriented toward the future and

constant change.

Multiple Choice 3

Which of the following objectives involves parties external to the

organization?

a. strategic objectives

b. compliance objectives

c. operation objectives

d. reporting objectives

Multiple Choice 4

Which of the following is not a component of COSO?

a. event identification

The Internal Environment

The internal environment is the most important component of the

ERM and internal control frameworks.

An internal environment consists of items such as the following:

1. Management’s philosophy, operating style, and risk appetite

3. Commitment to integrity, ethical values, and competence

5. Methods of assigning authority and responsibility

7. External influences

Page 12 of 28

Management’s philosophy, operating style, and risk appetite

Companies have a risk appetite, which is the amount of risk

a company is willing to accept in order to achieve its

goals and objectives.

Management’s philosophy, operating style, and risk appetite

can be assessed by answering questions such as these:

1. Does management take undue business risks to achieve

its objectives, or does it assess potential risks and

rewards prior to acting?

The board of directors

The Sarbanes-Oxley Act requires all public companies to

have an audit committee composed entirely of outside

(nonemployee), independent directors.

Commitment to integrity, ethical values, and competence

It is important to create an organizational culture that

stresses integrity and commitment to both ethical values

and competence.

Companies endorse integrity as a basic operating principle

by actively teaching and requiring it.

Page 13 of 28

Organizational structure

Important aspects of organizational structure include:

1. Centralization or decentralization of authority

3. Whether there is a direct reporting relationship

(i.e., functional organizational structure or

divisional organizational structure) or more of a

matrix structure. A matrix organizational structure

4. Organization by industry, product line, geographical

location, or by a particular distribution or

marketing network

5. The way responsibility allocation affects

management’s information requirements

Methods of assigning authority and responsibility

Authority and responsibility are assigned through formal

job descriptions; employee training; operating plans,

schedules, and budgets; a formal company code of conduct;

and a written policy and procedures manual.

Human resource standards

The following policies and procedures are important:

1. Hiring. To obtain the most qualified and ethical

employees, hiring should be based on educational

2. A thorough background check includes verifying

3. Compensating. It is important to pay employees a fair

and competitive wage. Poorly paid employees are

likely to feel resentment and make up the difference

4. Training. Training programs should familiarize new

employees with their responsibilities; expected

levels of performance and behavior; and the company’s

policies and procedures, history, culture, and

operating style.

Training on fraud and ethics:

▪ Fraud awareness

5. Evaluating and Promoting. Employees should be given

periodic performance appraisals that help them

6. Discharging. A company should take care when firing

employees. To prevent sabotage or copying

7. Managing Disgruntled Employees. Some employees who

commit fraud are seeking revenge for a perceived

8. Vacations and Rotation of Duties. Many fraud schemes

such as lapping and kiting require the ongoing

9. Confidentiality Agreements and Fidelity Bond

Insurance. All employees, suppliers, and contractors

should be required to sign and abide by a