Accounting Information Systems Control Frameworks and Risk Management

AIS chapter 3

Threat

Any potential adverse occurrence or unwanted event that could be injurious to either the accounting information system or the organization.

Exposure

The potential dollar loss should a particular threat become a reality.

Likelihood

The probability that the threat will happen.

Primary Objective of an AIS

To control the organization so the organization can achieve its objectives.

Proactive Approach

Management expects accountants to take a proactive approach to eliminating system threats.

Internal Controls

Processes implemented to provide assurance that objectives such as safeguarding assets and maintaining sufficient records are achieved.

Preventive Controls

Controls that deter problems from occurring.

Detective Controls

Controls that discover problems that are not prevented.

Corrective Controls

Controls that identify and correct problems; correct and recover from the problems.

Foreign Corrupt Practices Act (FCPA)

Legislation passed in 1977 to prevent companies from bribing foreign officials to obtain business.

Sarbanes-Oxley Act (SOX)

Requires all publicly owned corporations to maintain a system of internal accounting controls.

Control Objectives

Goals that companies need to set to manage risks and ensure compliance.

Communication of Information

Describes how to communicate information and monitor control processes in organizations.

Risk Assessment

The process of assessing and responding to risk using the Enterprise Risk Management model.

Control Activities

Commonly used activities in companies to ensure that control objectives are met.

Operational Efficiency

Promoting and improving operational efficiency as part of internal controls.

Compliance

Encouraging adherence with management policies and complying with laws and regulations.

Financial Reports

Preparing financial reports according to established criteria.

Reliable Information

Providing accurate and reliable information as part of internal controls.

Sufficient Records

Maintaining sufficient records as part of internal controls.

SOX

Legislation passed in 2002 that applies to publicly held companies and their auditors to prevent financial statement fraud, ensure financial report transparency, protect investors, strengthen internal controls, and punish executives who perpetrate fraud.

Control Frameworks

Structures that provide a systematic approach to managing and controlling organizational processes.

COBIT

Framework for IT control.

COSO

Framework for enterprise internal controls that takes a control-based approach.

COSO-ERM

Expands the COSO framework by taking a risk-based approach.

COBIT Framework

Current framework version is COBIT5, based on principles such as meeting stakeholder needs, covering the enterprise end-to-end, applying a single integrated framework, enabling a holistic approach, and separating governance from management.

COBIT5

Separates governance from management.

Components of COSO Frameworks

Include COSO, COSO-ERM, control (internal) environment, risk assessment, control activities, information and communication, and monitoring.

Internal Environment

Management's philosophy, operating style, and risk appetite, commitment to integrity, ethical values, and competence, internal control oversight by the Board of Directors, organizing structure, methods of assigning authority and responsibility, and human resource standards.

Objective Setting

Involves strategic objectives, high-level goals, operations objectives for effectiveness and efficiency, reporting objectives to improve decision making and monitor performance, and compliance objectives to comply with applicable laws and regulations.

Event Identification

Identifying incidents both external and internal to the organization that could affect the achievement of the organization's objectives.

Key Management Questions

What could go wrong? How can it go wrong? What is the potential harm? What can be done about it?

Information and Communication

Systems that support the identification, capture, and exchange of information in a timely manner.

Monitoring

Processes that assess the quality of internal control performance over time.

Compliance Objectives

Goals aimed at ensuring adherence to laws and regulations.

Reporting Objectives

Goals focused on improving decision making and monitoring performance.

Risk Response

Actions taken to address identified risks.

Impact

Estimate potential loss if event occurs

Inherent Risk

Risk that exists before plans are made to control it

Residual Risk

Risk that is left over after you control it

Reduce

Implement effective internal control

Accept

Do nothing, accept likelihood, and impact of risk

Share

Buy insurance, outsource, or hedge

Avoid

Do not engage in the activity

Segregation of Duties

Divide authority and responsibility between different functions to prevent fraud and errors

Threat/Event

An occurrence that can cause harm or loss

Exposure/impact

The potential damage or loss resulting from a threat

General controls

Controls that apply to all systems and processes

Application controls

Controls that apply to specific applications or systems

Sarbanes-Oxley Act (SOX)

U.S. law aimed at protecting investors by improving the accuracy and reliability of corporate disclosures

Public Company Accounting Oversight Board (PCAOB)

Organization that oversees the audits of public companies

Control Objectives for Information and Related Technology (COBIT)

Framework for developing, implementing, monitoring, and improving IT governance and management practices

Committee of Sponsoring Organizations (COSO)

Organization that provides a framework for internal control and risk management

Enterprise Risk Management Integrated Framework (ERM)

Framework for managing risk across an organization.