Unlock document.
This document is partially blurred.
Unlock all pages and 1 million more documents.
Get Access
CHAPTER 7
CONTROL AND ACCOUNTING INFORMATION SYSTEMS
Instructor’s Manual
Learning Objectives:
1. Explain basic control concepts and why computer control and
security are important.
3. Describe the major elements in the internal environment of a
company.
5. Describe the events that affect uncertainty and the techniques
used to identify them.
7. Describe control activities commonly used in companies.
8. Describe how to communicate information and monitor control
processes in organizations.
Introduction
Why Accounting Information Systems Threats Are Increasing
More than 60 percent of organizations have recently experienced a
major control failure for some of the following reasons:
1. Increase in number of information systems means that
3. Wide area networks are giving customers and suppliers
access to each other’s systems and data, making
confidentiality a major concern
Some of the reasons why organizations do not adequately protect
there data are:
Page 2 of 28
4. Productivity and cost pressures have motivated management
to forgo time-consuming control measures.
Any potential adverse occurrence or unwanted event that could be
injurious to either the accounting information system or the
organization is referred to as a threat or an event.
Why Control and Security Are Important
As an accountant you must have a good understanding of
Information Technology (IT) and it’s capabilities and risks.
Although internal control objectives remain the same regardless
of the data processing method, a computer-based AIS requires
different internal control policies and procedures.
Management expects accountants to:
1. Take a proactive approach to eliminating system threats.
Overview of Control Concepts
My simple definition of internal control is:
Page 3 of 28
Internal control is the process implemented by the board of
directors, management, and those under their direction to provide
reasonable assurance that the following control objectives are
achieved:
1. Safeguarding assets, including preventing or detecting, on
3. Providing accurate and reliable information
5. Promoting and improving operational efficiency, including
6. Encouraging adherence to prescribed managerial policies
7. Complying with applicable laws and regulations
Preventive controls deter problems before they arise; anticipate
the problem.
Detective controls discover problems as soon as they arise; what
we normally call in auditing “following the problem.”
Again in auditing, in addition to reporting the cause of
problems, we were required to give management the effect of the
problem that answers management’s reply: “So what?”
General controls are designed to make sure an organization’s
control environment is stable and well managed.
Some of the more important general controls are:
2. Security management controls
4. Software acquisition, development, and maintenance
controls
Page 4 of 28
Application controls prevent, detect, and correct transaction
errors and fraud. They are concerned with the accuracy,
completeness, validity, and authorization of the data.
The Sarbanes-Oxley and Foreign Corrupt Practices Acts
The Foreign Corrupt Practices Act (1977)
The primary purpose of this Act was to prevent the
bribery of foreign officials in order to obtain
business.
The Sarbanes-Oxley Act of 2002
Applies to publicly held companies and their auditors
Some of the important aspects of The Sarbanes-Oxley Act
are:
1. Public Company Accounting Oversight Board (PCAOB)
2. New rules for auditors
Auditors must report specific information to the
company’s audit committee, such as critical
3. New roles for audit committees
4. New rules for management
Requires the CEO and CFO to certify that financial
statements and disclosures are fairly presented, were
reviewed by management, and are not misleading.
Management can be imprisoned up to 20 years and fined
up to $5,000,000.
Page 5 of 28
The following provides Websites for news regarding
the Enron and WorldCom scandals:
Enron Traders Caught on Tape
5. New internal control requirements
Requires publicly held companies to issue a report
accompanying the financial statements that states
management is responsible for establishing and
maintaining an adequate internal control structure
and appropriate control procedures.
Page 6 of 28
1. Base its evaluation on a recognized control
framework. The most likely frameworks are formulated
by The Committee of Sponsoring Organizations (COSO).
Levers of Control
Many people feel there is a basic conflict between creativity and
controls. In other words, you can’t have both.
Four levels of control to help companies to reconcile this
conflict:
1. The first is a concise belief system that
2. A boundary system helps employees act ethically by
3. To ensure the efficient and effective achievement of
4. An interactive control system helps top-level
managers with high-level activities that demand
frequent and regular attention, such as developing
company strategy, setting company objectives,
understanding and assessing threats and risks,
monitoring changes in competitive conditions and
emerging technologies, and developing responses and
action plans to proactively deal with these high-
level issues
Multiple Choice 1
What type of internal controls finds the problem before it occurs?
a. detective controls
Multiple Choice 2
The Public Company Accounting Oversight Board consists of
a. 7 members
b. 3 members
c. 5 members
Page 7 of 28
d. 6 members
Control Frameworks
COBIT Framework
The Information Systems Audit and Control Foundation (ISACF)
developed the Control Objectives for Information and related
Technology (COBIT) framework. COBIT is a framework of generally
applicable information systems security and controls practices of
Information Technology control.
The framework allows
1. Management to benchmark the security and control
practices of Information Technology environments
The framework addresses the issue of control from three
dimensions:
1. Business objectives. To satisfy business objectives,
information must conform to criteria called business
requirement for information.
To satisfy business objectives, information must conform
to certain criteria referred to as “business
requirements for information.”
2. Information Technology resources. This includes people,
application systems, technology, facilities, and data
3. Information Technology processes
These are broken into four domains:
▪ Planning and organization
The Committee of Sponsoring Organizations Internal Control
Framework
The Committee of Sponsoring Organizations (COSO) is a
private-sector group consisting of the American Accounting
Association, the AICPA, the Institute of Internal Auditors,
the Institute of Management Accountants, and the Financial
Executives Institute.
COSO’s internal control model has five crucial components,
provided in Table 7-1 on page 187:
1. Control environment
3. Risk assessment
5. Monitoring
COSO’s Enterprise Risk Management Framework
Enterprise Risk Management—Integrated Framework (ERM)
Page 9 of 28
The purpose is to achieve all the goals of the control
framework and help the organization to:
1. Provide reasonable assurance that company objectives
2. Achieve its financial and performance targets
3. Assess risks continuously and identify the steps to
4. Avoid adverse publicity and damage to the entity’s
reputation
The basic principles behind enterprise risk management are:
2. Company management must decide how much uncertainty
it will accept as it creates value.
3. Uncertainty results in risk, which is the possibility
4. Uncertainty can also result in an opportunity, which
5. The Enterprise Risk Management—Integrated Framework
The elements of the ERM are provided in a model shown in
Figure 7-1 on page 188.
Strategic objectives are high-level goals that are aligned
with and support the company’s mission.
Strategic planning is designed to help managers answer
critical questions in a business. These questions include:
1. What is the organization’s position in the
marketplace?
2. What does the organization want its position to be?
Page 10 of 28
organization achieve its goals?
Operations objectives deal with the effectiveness and
efficiency of the company operations, such as performance
and profitability goals and safeguarding assets.
The eight interrelated risk and control components of COSO
are listed in Figure 7-1 on page 188.
1. Internal environment. This is the tone or culture of
2. Objective setting. ERM ensures that company
management puts into place a process to formulate
3. Event identification. ERM requires management to
4. Risk assessment. Identified risks are assessed to
determine how to manage them and how they affect the
company’s ability to achieve its objectives.
5. Risk response. To align identified risks with the
6. Control activities. To implement management’s risk
7. Information and communication. Information about the
8. Monitoring. To remain effective, ERM processes must
be monitored on an ongoing basis and modified as
needed.
The ERM Framework versus the Internal Control Framework
Page 11 of 28
The internal control framework has been widely adopted as
the principal way to evaluate internal controls, as
required by the Sarbanes-Oxley Act. However, it has too
narrow a focus.
The ERM is a more comprehensive framework which takes a
risk-based, rather than a controls-based approach to the
organization that is oriented toward the future and
constant change.
Multiple Choice 3
Which of the following objectives involves parties external to the
organization?
a. strategic objectives
b. compliance objectives
c. operation objectives
d. reporting objectives
Multiple Choice 4
Which of the following is not a component of COSO?
a. event identification
The Internal Environment
The internal environment is the most important component of the
ERM and internal control frameworks.
An internal environment consists of items such as the following:
1. Management’s philosophy, operating style, and risk appetite
3. Commitment to integrity, ethical values, and competence
5. Methods of assigning authority and responsibility
7. External influences
Page 12 of 28
Management’s philosophy, operating style, and risk appetite
Companies have a risk appetite, which is the amount of risk
a company is willing to accept in order to achieve its
goals and objectives.
Management’s philosophy, operating style, and risk appetite
can be assessed by answering questions such as these:
1. Does management take undue business risks to achieve
its objectives, or does it assess potential risks and
rewards prior to acting?
The board of directors
The Sarbanes-Oxley Act requires all public companies to
have an audit committee composed entirely of outside
(nonemployee), independent directors.
Commitment to integrity, ethical values, and competence
It is important to create an organizational culture that
stresses integrity and commitment to both ethical values
and competence.
Companies endorse integrity as a basic operating principle
by actively teaching and requiring it.
Page 13 of 28
Organizational structure
Important aspects of organizational structure include:
1. Centralization or decentralization of authority
3. Whether there is a direct reporting relationship
(i.e., functional organizational structure or
divisional organizational structure) or more of a
matrix structure. A matrix organizational structure
4. Organization by industry, product line, geographical
location, or by a particular distribution or
marketing network
5. The way responsibility allocation affects
management’s information requirements
Methods of assigning authority and responsibility
Authority and responsibility are assigned through formal
job descriptions; employee training; operating plans,
schedules, and budgets; a formal company code of conduct;
and a written policy and procedures manual.
Human resource standards
The following policies and procedures are important:
1. Hiring. To obtain the most qualified and ethical
employees, hiring should be based on educational
2. A thorough background check includes verifying
3. Compensating. It is important to pay employees a fair
and competitive wage. Poorly paid employees are
likely to feel resentment and make up the difference
4. Training. Training programs should familiarize new
employees with their responsibilities; expected
levels of performance and behavior; and the company’s
policies and procedures, history, culture, and
operating style.
Training on fraud and ethics:
▪ Fraud awareness
5. Evaluating and Promoting. Employees should be given
periodic performance appraisals that help them
6. Discharging. A company should take care when firing
employees. To prevent sabotage or copying
7. Managing Disgruntled Employees. Some employees who
commit fraud are seeking revenge for a perceived
8. Vacations and Rotation of Duties. Many fraud schemes
such as lapping and kiting require the ongoing
9. Confidentiality Agreements and Fidelity Bond
Insurance. All employees, suppliers, and contractors
should be required to sign and abide by a
