ACG4401 - Chapter 10 - Control and Accounting Information Systems

Threat

Any potential adverse occurrence or unwanted event that could injure the AIS or the organization

Exposure/Impact

The potential dollar loss if a particular threat becomes a reality

Likelihood/Risk

the probability that a threat will come to pass

Internal Controls

the processes and procedures implemented to provide reasonable assurance that control objectives are met

Preventive controls

controls that deter problems before they arise

Detective Controls

controls designed to discover control problems that were not prevented

Corrective Controls

controls that identify and correct problems as well as correct and recover from the resulting errors

General controls

controls designed to make sure an organization's information system and control environment is stable and well managed

Application controls

controls that prevent, detect, and correct transaction errors and fraud in application programs

Functions of internal control (3)

1)Preventive controls

2)Detective controls

3)Corrective controls

The 2 categories of internal controls

1)General Controls

2)Application Controls

Four levers of control to help management reconcile the conflict between creativity and controls

1)belief system

2)boundary system

3)diagnostic control system

4)interactive control system

Belief Sytem

describes how a company creates value, helps employees understand management's vision, communicates company core value, and inspires employees to live by those values

Boundary System

helps employees act ethically by setting boundaries on employee behavior

Diagnostic control system

system that measures, monitors, and compares actual company progress to budgets and performance goals

interactive control system

system that helps managers to focus subordinates' attention on key strategic issues and to be more involved in their decisions

Foreign Corrupt Practices Act (FCPA)

legislation passed to prevent companies from bribing foreign officials to obtain business; also requires all publicly owned corporations maintain a system of internal accounting controls

Sarbanes-Oxley Act (SOX)

legislation intended to prevent financial statement fraud, make financial reports more transparent, provide protection to investors, strengthen internal controls at public companies, and punish executives who perpetrate fraud

Public Company Accounting Oversight Board (PCAOB)

A board created by SOX that regulates the auditing profession; created as part of SOX.

Control Objectives for Information and Related Technology (COBIT)

A security and control framework that allows (1) management to benchmark the security and control practices of IT environments, (2) users of IT services to be assured that adequate security and control exist, and (3) auditors the substantiate their internal control opinions and advise on IT security and control matters. - Framework for IT control

Committee of Sponsoring Organizations (COSO)

A private-sector group consisting of the American Accounting Association, the AICPA, the Institute of Internal Auditors, the Institute of Management Accountants, and the Financial Executives Institute - Framework for enterprise internal controls (control-based approach)

COBIT 2019 Principles

1) Meeting stakeholder needs

2) Covering the enterprise end-to-end

3) Applying a single, integrated framework

4) Enabling a holistic approach

5) Separating governance from management

Enterprise Risk Management (ERM)

The process the board of directors and management use to set strategy, identify events that may affect the entity, assess and manage risk, and provide reasonable assurance that the company achieves its objectives and goals

Internal Control - Integrated Framework (IC)

A COSO framework that defines internal controls and provides guidance for evaluating and enhancing internal control systems

5 component of COSO Internal Control-Integrated Framework

1) Control Environment

2) Risk assessment

3) Control Activities

4) Information and communication

5) Monitoring

Control Environment

The company culture that is the foundation for all other internal control components as it influences how organizations established strategies and objectives; structure business activities; and identify, assess, and respond to risk

A control environment consists of

1) Managements philosophy, operating style, and risk appetite.

2) Commitment to integrity, ethical values, and competences

3) Internal control oversights by BOD

4) Organizational structure

5) Methods of assigning authority and responsibility

6) HR standards that attract, develop and retain competent individuals

7) External Influences

Risk Appetite

The amount of risk a company is willing to accept to achieve its goals and objectives. To avoid undue risk, risk appetite must be in alignment with company strategy.

Inherent Risk

the susceptibility of a set of accounts or transactions to significant control problems in the absence of internal control

Residual Risk

the risk that remains after management implements internal controls or some other response to risk

Management's response to risk

Reduce, Accept, Share, Avoid

Reduce response

Implementing effective internal control

Accept Response

Do nothing, accept likelihood, and impact of risk

Share Response

Buy insurance, outsource, or hedge

Avoid Response

Do not engage in the activity

Control Activites

policies, procedures, and rules that provide reasonable assurance that control objectives are met and risk responses are carried out

Control Procedures

1) Proper authorization of transactions and activities

2) Segregation of duties

3) Project development and acquisition controls

4) Change management controls

5) Design and use documents and records

6) Safeguarding assets, records, and data

7) Independent checks on performance

Authorization

Establishing policies for employees to follow and then empowering them to perform certain organizational functions. Authorizations are often documented by signing, initializing, or entering an authorization code on a document or record.

Segregation of accounting duties

separating the accounting functions of authorization, custody, and recording to minimize an employee's ability to commit fraud

Segregation of system duties

implementing control procedures to clearly divide authority and responsibility within the information system function

Audit trail

a path that allows a transaction to be traced through a data processing system from point of origin to output or backward from output to point of origin

Information and Communication Principles

1) Obtain or generate relevant, high-quality information to support internal control

2) Internally communicate the information, including objectives and responsibilities, necessary to support the other components of internal control

3) Communicate relevant internal control matters to external parties

COBIT 2019 Management Objective/s

1) Align, plan, and organize (APO)

2) Build, Acquire, and implement (BAI)

3) Deliver, Service, and support (DSS)

4) Monitor, evaluate, and assess (MEA)

COBIT 2019 Governance Objective/s

Evaluate, Direct, and Monitor

5 basic principles behind ERM

1) Companies are formed to create value for their owners

2) Management must decide how much uncertainty it will accept as it created value

3) Uncertainty results in risk, which is the possibility that something negatively affects the company's ability to create or preserve value

4) Uncertainty results in opportunity, which is the possibility that something positively affects the company's ability to create or preserve value

5) The ERM framework can manage uncertainty as well as create and preserve value

Governance and Culture

Sets the organization's tone, including oversights responsibilities for enterprise risk management ; relates to a company's ethical value, desired behaviors, and understanding risk

Strategy and Objective Setting

Should consider the need to identify, assess, and respond to risk

Performance

This process should include an assessment of the total amount of risk the entity assumes. Key risk stakeholders should be informed of the risk management and response process and its findings.

Review and Revision

The entity should review the performance of ERM components to determine how well they are functioning over time, and determine what revisions are needed.

Information, Communication, and Reporting

It is essential to continuously obtain and share information from internal and external sources with all necessary levels of the organization

Audit Committee

the outside, independent board of director members responsible for financial reporting, regulatory compliance, internal control, and hiring and overseeing internal and external auditors

policies and procedures manual

a document that explains proper business practices, describes needed knowledge and experience, explain document procedure, explains how to handle transactions, and lists the resources provided to carry out specific duties

background check

An investigation of a prospective or current employee that involves verifying their educational and work experience, talking to references, checking for a criminal record or credit problems, and examining other publicly available information.

Expected Loss

The mathematical product of the potential dollar loss that would occur should a threat become a reality (called impact or exposure) and the risk or probability that the threat will occur (called likelihood).

Digital Signature

a means of electronically signing a document with data that cannot be forged

Specific Authorization

special approval an employee needs in order to be allowed to handle a transaction

General Authorization

the authorization given employees to handle routine transactions without special approval

Segregation of accounting duties is achieved when the following functions are separated:

Authorization, Recording, an Custody

Collusion

cooperation between two or more people in an effort to thwart internal controls

Custodial Functions

-Handling cash

-Handling inventories, tools, or fixed assets

-Writing checks

-Receiving checks in mail

Authorization Functions

Authorization of transactions

Recording Functions

-Preparing source documents

-Maintaining journals, ledgers, or other files

-Preparing reconciliations

-Preparing performance reports

Systems Analysts

people who help users determine their information needs and design systems to meet those needs

programmers

People who use the analysts' design to create and test computer programs

Computer Operators

people who operate the company's computers

Users

people who record transactions, authorize data processing, and use system output

System Administrators

People responsible for making sure a system operated smoothly and efficiently

Network Managers

People who ensure that the organization's networks operate properly

Security Management

People who make sure systems are secure & protected from internal & external threats

Change management

Process of making sure changes are made smoothly and efficiently and do no negatively affect the system

Data Control

People who ensure that source data is approved, monitor the flow of work, reconcile input and output, handle input errors, and distribute systems output

Steering Committee

An executive-level committee to plan and oversee the information systems function.

Strategic master plan

A multiple-year plan that lays out the projects the company must complete to achieve its long-range goals and the resources needed to achieve the plan.

project development plan

a document that shows how a project will be completed

Project Milestone

points where progress is reviewed and actual and estimated completion times are compared

data processing schedule

a schedule that shows when each data processing task should be performed

systems performance measurements

ways to evaluate and assess a system

Throughput

the amount of work performed by a system during a given period of time

Utilization

the percentage of time a system is used

Response time

how long it takes for a system to respond

postimplementation review

review, performed after a new system has been operating for a brief period, to ensure that it meets its planned objectives

Systems Integrator

an outside party hired to manage a company's systems development effort

analytical review

the examination of the relationships between different sets of data

Computer Security Officer (CSO)

An employee independent of the information system function who monitors the system, disseminates information about improper system uses and their consequences, and reports to top management.

Chief Compliance Officer (CCO)

an employee responsible for all the compliance tasks associated with SOX and other laws and regulatory rulings

forensic investigators

Individuals who specialize in fraud, most of whom have specialized training with law enforcement agencies such as the FBI or IRS or have professional certifications such as Certified Fraud Examiner (CFE).

computer forensics specialists

computer experts who discover, extract, safeguard, and document computer evidence such that its authenticity, accuracy, and integrity will not succumb to legal challenges

neutral networks

computing systems that imitate the brain's learning process by using a network of interconnected processors that perform multiple operations simultaneously and interact dynamically

Fraud hotline

a phone number employees can call to anonymously report fraud and abuse