Accounting Information
Systems
7-1
CHAPTER 7
CONTROL AND ACCOUNTING INFORMATION SYSTEMS
SUGGESTED ANSWERS TO DISCUSSION QUESTIONS
7.1 Answer the following questions about the audit of Springer’s Lumber & Supply
a. What deficiencies existed in the internal environment at Springers?
The “internal environment” refers to the tone or culture of a company and helps
determine how risk consciousness employees are. It is the foundation for all other
ERM components, providing discipline and structure. It is essentially the same thing
as the control environment in the internal control framework.
1. Management authority is concentrated in three family members, so there are
few, if any, checks and balances on their behavior. In addition, several other
relatives and friends of the family are on the payroll.
b. Do you agree with the decision to settle with the Springers rather than to
prosecute them for fraud and embezzlement? Why or why not?
Whether or not to settle with the Springers is a matter of opinion, with reasonable
arguments on both sides of the issue.
Ch. 7: Control and Accounting Information Systems
c. Should the company have told Jason and Maria the results of the high-level audit?
Why or why not?
Whether or not Jason and Maria should have been told the results of the high-level
audit is also a matter of opinion. The investigative team is apparently trying to keep
Many lessons may be drawn from this story.
2. Fraud is more easily perpetrated and concealed when many perpetrators are
involved, and especially when management is involved.
3. Purchasing and payroll are two areas that are particularly vulnerable to fraud.
Accounting Information
Systems
7-3
7.2 Effective segregation of duties is sometimes not economically feasible in a small
business. What internal control elements do you think can help compensate for this
threat?
Small companies can do the following things to compensate for their inability to implement
an adequate segregation of duties:
Ch. 7: Control and Accounting Information Systems
7.3 One function of the AIS is to provide adequate controls to ensure the safety of
organizational assets, including data. However, many people view control procedures
as fired tape.” They also believe that, instead of producing tangible benefits, business
controls create resentment and loss of company morale. Discuss this position.
Well-designed controls should not be viewed as fired tape” because they can actually
improve both efficiency and effectiveness. The benefits of business controls are evident if
one considers the losses that frequently occur due to the absence of controls.
Accounting Information
Systems
7-5
7.4 In recent years, Supersmurf’s external auditors have given clean opinions on its
financial statements and favorable evaluations of its internal control systems. Discuss
whether it is necessary for this corporation to take any further action to comply with
the SarbanesOxley Act.
The Sarbanes-Oxley Act of 2002 (SOX) applies to publicly held companies and their
auditors and was intended to prevent financial statement fraud, make financial reports more
transparent, provide protection to investors, strengthen the internal controls at public
companies, and punish executives who perpetrate fraud.
Audit Committee
Audit committee members must be on the company’s board of directors and be
independent of the company. One member of the audit committee must be a financial
expert.
Management
The CEO and CFO at companies with more than $1.2 billion in revenue must prepare
a statement certifying that their quarterly and annual financial statements and
disclosures are fairly presented, were reviewed by management, and are not
misleading.
Ch. 7: Control and Accounting Information Systems
7.5 When you go to a movie theater, you buy a prenumbered ticket from the cashier.
This ticket is handed to another person at the entrance to the movie. What kinds of
irregularities is the theater trying to prevent? What controls is it using to prevent
these irregularities? What remaining risks or exposures can you identify?
There are two reasons for using tickets.
1. The theater is trying to prevent cashiers from stealing cash by providing greater
control over cash receipts. You cannot get into the theater without a ticket so you
never give cash to a cashier without insisting on a ticket. That makes it much harder
for a cashier to pocket cash.
Accounting Information
Systems
7-7
7.6 Some restaurants use customer checks with prenumbered sequence codes. Each food
server uses these checks to write up customer orders. Food servers are told not to
destroy any customer checks; if a mistake is made, they are to void that check and
write a new one. All voided checks are to be turned in to the manager daily. How
does this policy help the restaurant control cash receipts?
The fact that all documents are prenumbered provides a means for accounting for their use
and for detecting unrecorded transactions. Thus, a missing check indicates a meal for
7.7 Compare and contrast the following three frameworks: COBIT, COSO Integrated
Control, and ERM.
The COBIT Framework consolidates systems security and control standards into a single
It has five components:
1. Control environment, which are the individual attributes, (integrity, ethical values,
Ch. 7: Control and Accounting Information Systems
competence, etc.) of the people in the organization and and the environment in which
they operate.
2. Control activities, which are control policies and procedures that help ensure that the
organization addresses risks and effectively achieves its objectives.
COSO’s Enterprise Risk Management Frameworkis a new and improved version of the
Integrated Control Framework. It is the process the board of directors and management use
to set strategy, identify events that may affect the entity, assess and manage risk, and
provide reasonable assurance that the company achieves its objectives and goals. The basic
principles behind ERM are:
Companies are formed to create value for their owners.
ERM adds three additional elements to COSO’s IC framework:
1. Setting objectives
Because the ERM model is more comprehensive than the Internal Control framework, it
will likely become the most widely adopted of the two models.
Accounting Information
Systems
7.8 Explain what an event is. Using the Internet as a resource, create a list of some of the
many internal and external factors that COSO indicated could influence events and
affect a company’s ability to implement its strategy and achieve its objectives.
An event is fian incident or occurrence emanating from internal or external sources that
affects implementation of strategy or achievement of objectives.” An event can have a
positive or a negative impact.
The following table lists some of the many internal and external factors that COSO indicated
could influence events and affect a company’s ability to implement its strategy and achieve its
objectives. Lists like these help management identify factors, evaluate their importance, and
examine those that can affect objectives. Identifying events at the activity and entity levels
allows companies to focus their risk assessment on major business units or functions and
helps align the company’s risk tolerance and risk appetite.
COSO’s Nine ERM Event Categories
EVENT CATEGORIES
External Factors
Internal Factors
ECONOMIC
INFRASTRUCTURE
Availability of capital; lower or higher costs
of capital
Inadequate access to or poor allocation of
capital
Rising or declining unemployment rates
Availability and capability of company assets
Price movements upward or downward
Complexity of systems
Ability to issue credit and possibility of
default
Concentration of competitors, customers, or
vendors
Presence or absence of liquidity
Movements in the financial markets or
currency fluctuations
Lower barriers to competitive entry,
resulting in new competitors
Mergers or acquisitions
Ch. 7: Control and Accounting Information Systems
legal liability
NATURAL ENVIRONMENT
PERSONNEL
Natural disasters such as fires, floods, or
Workplace accidents, health or safety
POLITICAL
PROCESS
Election of government officials with new
political agendas
Process modification without proper change
management procedures
New laws and regulations
Process execution errors
Public policy, including higher or lower taxes
Poorly designed processes
Regulation affecting the company’s ability to
compete
Suppliers cannot deliver quality goods on
SOCIAL
TECHNOLOGY
Privacy
Insufficient capacity to handle peak IT usages
Terrorism
Data or system unavailability
Corporate citizenship
Poor systems selection/development
Human resource issues causing production
shortages or stoppages
Inadequately maintained systems
Changing demographics, social mores, family
structures, and work/life priorities
Security breaches
and services demand or creates buying
TECHNOLOGICAL
New e-business technologies that lower
infrastructure costs or increase demand for
IT-based services
Emerging technology
Increased or decreased availability of data
Interruptions or downtime caused by external
parties
earthquakes
concerns
Emissions and waste
Employees acting dishonestly or unethically
Energy restrictions or shortages
Employee skills and capability
Restrictions limiting development
Strikes or expiration of labor agreements
Accounting Information
Systems
7.9 Explain what is meant by objective setting and describe the four types of objectives
used in ERM.
Objective setting, the second ERM component, is determining what the company hopes to
achieve. It is often referred to as the corporate vision or mission. The four types of
objectives used in ERM are:
1. Strategic objectives are high-level goals that align with the company’s mission,
2. Operations objectives deal with the effectiveness and efficiency of company
operations and determine how to allocate resources. They reflect management
3. Reporting objectives help ensure the accuracy, completeness, and reliability of
4. Compliance objectives help the company comply with all applicable laws and
regulations.
Most compliance and many reporting objectives are imposed by external entities due
to laws or regulations. ERM provides reasonable assurance that reporting and
Ch. 7: Control and Accounting Information Systems
7.10 Discuss several ways that ERM processes can be continuously monitored and
modified so that deficiencies are reported to management.
2. Supervise effectively, including training and assisting employees, correcting errors,
and overseeing employees who have access to assets.
3. Use Responsibility Accounting Systems such as budgets, quotas, schedules, standard
4. Use risk analysis and management software packages to review computer and
network security measures, detect illegal access, test for weaknesses and
vulnerabilities, report weaknesses found, and suggest improvements.
6. Have periodic external, internal, and network security audits to assess and monitor
risk as well as detect fraud and errors.
7. Have a chief security officer (CSO), who is independent of the information system
9. Use forensic investigators, who specialize in fraud detection and investigation, help
with the financial reporting and corporate governance process. Most forensic
11. Use a fraud hotline so people witnessing fraudulent behavior can report it
anonymously.
Accounting Information
Systems
SUGGESTED SOLUTIONS TO THE PROBLEMS
7.1 You are an audit supervisor assigned to a new client, Go-Go Corporation, which is
listed on the New York Stock Exchange. You visited Go-Go’s corporate headquarters
to become acquainted with key personnel and to conduct a preliminary review of the
company’s accounting policies, controls, and systems. During this visit, the following
events occurred:
a. You met with Go-Go’s audit committee, which consists of the corporate controller,
treasurer, financial vice president, and budget director.
d. You learned that the financial vice president manages a staff of five internal
auditors.
e. You noted that all management authority seems to reside with three brothers, who
serve as chief executive officer, president, and financial vice president.
h. You reviewed the company’s policy and procedures manual, which listed policies
for dealing with customers, vendors, and employees.
i. Your preliminary assessment is that the accounting systems are well designed and
that they employ effective internal control procedures.
j. Some employees complained that some managers occasionally contradict the
instructions of other managers regarding proper data security procedures.
Ch. 7: Control and Accounting Information Systems
do not appear to know who to ask for help.
n. GoGo’s strategy is to achieve consistent growth for its shareholders. However, its
policy is not to invest in any project unless its payback period is no more than 48
months and yields an internal rate of return that exceeds its cost of capital by 3%.
The information you have obtained suggests potential problems relating to Go-Go’s
internal environment. Identify the problems, and explain them in relation to the
internal environment concepts discussed in this chapter
The underlined items correspond to one of the 7 elements of the internal environment
covered in the text.
a. You met with Go-Go’s audit committee, which consists of the corporate
controller, treasurer, financial vice president, and budget director.
PROBLEM: Section 301 of the Sarbanes-Oxley Act of 2002 (SOX) applies to
publicly held companies and their auditors. It requires audit committee members to
SOLUTION: All members of the audit committee should be members of the Board
of Directors. They must also be independent of the company meaning none of the
b. You recognized the treasurer as a former aide to Ernie Eggers, who was
convicted of fraud several years ago.
PROBLEM: Because the position of corporate treasurer involves managing cash and
other financial assets, it is critical that the position be filled with someone of
Accounting Information
Systems
7-15
SOLUTION: Though you may not have specific information linking the corporate
treasurer to the prior fraud, this information should indicate a need to examine
c. Management explained its plans to change accounting methods for depreciation
from the accelerated to the straight-line method. Management implied that if
your firm does not concur with this change, Go-Go will employ other auditors.
PROBLEM: Why would a company want to move from an accelerated depreciation
method to one with a lower depreciation write-off? One reason is that it reduces
It is also possible that there is a problem with management’s philosophy and operating
style. Management’s philosophy and operating style relates to risk-taking propensity
and problems with philosophy and operating style are similar to carelessnessn or
recklessness.
It is important to note that management can be careless, yet ethical; they can also be
careful, yet unethical.
d. You learned that the financial vice president manages a staff of five internal
auditors.
Ch. 7: Control and Accounting Information Systems
PROBLEM: The internal audit function is not organizationally independent of the
e. You noted that all management authority seems to reside with three brothers,
who serve as chief executive officer, president, and financial vice president.
PROBLEM: The dominance of an organization’s management by one or a few
individuals is an aspect of management’s philosophy and operating style that might
f. You were told that the performance of division and department managers is
evaluated on a subjective basis, because Go-Go’s management believes that
formal performance evaluation procedures are counterproductive.
PROBLEM: This indicates a possible problem with management’s human resource
standards and their methods of monitoring performance. Subjective evaluation
g. You learned that the company has reported increases in earnings per share for
each of the past 25 quarters; however, earnings during the current quarter have
leveled off and may decline.
PROBLEM: Management’s philosophy and operating style, as well as their
commitment to integrity and ethical values, can be tested when a company faces
declining earnings. When earnings per share decrease or when they do not meet
Accounting Information
Systems
7-17
h. You reviewed the company’s policy and procedures manual, which listed policies
for dealing with customers, vendors, and employees.
PROBLEM: One of the methods of assigning authority and responsibility is a
written and comprehensive policies and procedures manual. Go-Go has a written
i. Your preliminary assessment is that the accounting systems are well designed
and that they employ effective internal control procedures.
PROBLEM: Even though you believe that the accounting systems are well designed,
and that they employ effective internal control procedures, you cannot rely on that
belief. The most effective internal control systems and procedures can be negated by
j. Some employees complained that some managers occasionally contradict the
instructions of other managers regarding proper data security procedures.
PROBLEM: It does not appear that there is a clear line of authority and
Ch. 7: Control and Accounting Information Systems
k. After a careful review of the budget for data security enhancement projects, you
feel the budget appears to be adequate.
PROBLEM: This item does not appear to be a problem. Your careful review
l. The enhanced network firewall project appeared to be on a very aggressive
implementation schedule. The IT manager mentioned that even if he put all of
his personnel on the project for the next five weeks, he still would not complete
the project in time. The manager has mentioned this to company management,
which seems unwilling to modify the schedule.
PROBLEM: The firewall implementation schedule is not feasible.
m. Several new employees have had trouble completing some of their duties, and
they do not appear to know who to ask for help.
PROBLEM: Employee training and support appear to be rather weak. Companies
that shortchange training are more likely to have more fraud and more security
breaches.
Accounting Information
Systems
7-19
n. GoGo’s strategy is to achieve consistent growth for its shareholders. It also has
a policy not to invest in any project unless its payback period is no more than 48
months and yields an internal rate of return that exceeds its cost of capital by
3%.
PROBLEM: Go-Go’s risk appetite, although aggressive, appears to be grounded in
solid capital budgeting principles. This item, therefore, does not appear to be a
problem
o. You observe that company purchasing agents wear clothing and exhibit other
paraphernalia from major vendors. The purchasing department manager
proudly displays a picture of himself holding a big fish on the deck of a luxury
fishing boat that has the logo of a major Go-Go vendor painted on its
wheelhouse.
PROBLEM: Gifts from vendors can unduly influence purchasing agents to buy more
goods from the gifting vendors. Purchasing decision should be free of this sort of
bias.
Ch. 7: Control and Accounting Information Systems
7.2 Explain how the principle of separation of duties is violated in each of the following
situations. Also, suggest one or more procedures to reduce the risk and exposure
highlighted in each example.
a. A payroll clerk recorded a 40-hour workweek for an employee who had quit the
previous week. He then prepared a paycheck for this employee, forged her
signature, and cashed the check.
PROBLEM: Segregation of duties is violated here because the payroll clerk had the
ability to record time worked and to prepare the payroll check (custody). This
b. While opening the mail, a cashier set aside, and subsequently cashed, two checks
payable to the company on account.
PROBLEM: The cashier who opened the mail had custody of the cash. The cashier
opening the mail can pocket the checks and forge a signature, never giving the
c. A cashier prepared a fictitious invoice from a company using his brother-in
law’s name. He wrote a check in payment of the invoice, which the brother-in
law later cashed.
PROBLEM: Segregation of duties is violated here because the cashier had the